PRIVACY POLICY

Optimum Ventures LLC ("Survivor Protocol," "we," "our," or "us") operates survivorprotocol.com and provides AI-powered cancer research services. This Privacy Policy describes the information we collect from and about you when you visit our Website, complete our intake form, participate in a case review call, purchase our services, communicate with us via phone, text, or email, or otherwise interact with Survivor Protocol. It explains how we use, share, and protect that information — including Protected Health Information (PHI) — and your rights regarding your data.

This document also serves as our Notice of Privacy Practices regarding Protected Health Information, as required for entities voluntarily implementing HIPAA-level protections.

Important State-Specific Notices: California Residents — you have specific rights under the California Consumer Privacy Act (CCPA), see Section 12. Virginia Residents — you have specific rights under Virginia Code 59.1-577, see Section 13. EU/EEA/UK Residents — you have specific rights under the GDPR, see Section 14.

By using survivorprotocol.com, submitting an intake form, scheduling or participating in a call, making a purchase, or otherwise providing information to Survivor Protocol, you acknowledge that you have read and understood this Privacy Policy and consent to the collection, use, and disclosure of your information as described herein. If you do not agree with this Privacy Policy, do not use our services.

This Privacy Policy is incorporated into and subject to our Terms of Service, available at survivorprotocol.com/tos.

To exercise any privacy right, contact: [email protected]


1. WHO WE ARE

Optimum Ventures LLC (Florida LLC, Document #L19000213631) operates Survivor Protocol (survivorprotocol.com), an AI-powered cancer research service. We compile and organize published, peer-reviewed scientific literature into personalized research protocols for cancer patients. Our deliverables include personalized clinical summaries with cited research, complete research compendiums, AI-generated video walkthroughs, clinical trial matches, supplement safety audits, and nutrition plans — all generated using artificial intelligence systems that analyze published medical literature against your specific diagnosis and health data.

What We Are: A research compilation and information service that uses AI to organize existing published science into personalized reports.

What We Are NOT: We are not a healthcare provider, medical practice, pharmacy, laboratory, health plan, healthcare clearinghouse, or any other type of entity that meets the definition of a "covered entity" under HIPAA (45 CFR 160.103). We do not provide medical advice, diagnosis, or treatment. No doctor-patient relationship is created by using our services. Despite not being a HIPAA-covered entity, we voluntarily implement HIPAA-level protections for your health information (see Section 5).

For purposes of applicable privacy laws: for residents of GDPR jurisdictions (EU/EEA/UK), Optimum Ventures LLC is the data controller responsible for your personal data. For California residents, Optimum Ventures LLC is a "Business" as defined by the CCPA.

Privacy Contact:
Optimum Ventures LLC
Attn: Privacy Officer (Joseph Balmaceda)
3613 Pomerol Drive, Unit 101
Wellington, FL 33414
Email: [email protected]
Phone: (561) 350-6949


2. INFORMATION WE COLLECT

We collect information in three ways: information you provide directly, information collected automatically when you interact with our Website, and information received from third parties. Below is a comprehensive list of each category.

A. Information You Provide Voluntarily

You may provide the following information when you complete our intake form, schedule a call, make a purchase, communicate with us, or otherwise use our services:

Identifiers: Full name, email address, phone number, mailing address, date of birth, age, and preferred method of contact.

Protected Health Information (PHI): Cancer type and subtype; cancer stage and grade; biomarker and genetic mutation test results (e.g., HER2, BRCA, KRAS, PD-L1, TMB, MSI); current and past cancer treatments (chemotherapy regimens, radiation, surgery, immunotherapy, targeted therapy, hormone therapy); pathology reports and biopsy results; blood work and laboratory results (CBC, CMP, tumor markers, inflammatory markers); current medications with dosages and frequency; current supplements with dosages and frequency; symptoms, side effects, and pain levels; functional status and mobility; weight, height, and body composition changes; dietary habits and nutritional intake; exercise habits and physical activity level; sleep quality and patterns; stress levels and mental health status; alcohol, tobacco, and substance use; medical imaging results (CT, MRI, PET, X-ray); clinical trial enrollment status or interest; oncologist and healthcare provider names, institutions, and contact information; health insurance information (if provided); family cancer history; health goals and treatment priorities; and any other health-related details you share in your intake form, during calls, or in communications with us.

Caregiver-Submitted Information: If a family member, caregiver, or legal guardian submits information on your behalf (see Section 15), we collect the same categories of PHI listed above, along with the submitter's name, relationship to the patient, and contact information.

Financial Information: Payment method details are processed directly by Stripe, Inc. and its partners (Afterpay, Affirm). We do NOT receive, store, or have access to your full credit card number, debit card number, or bank account number. We receive only: transaction confirmation (amount, date, status), last four digits of your card, card type (Visa, Mastercard, etc.), billing name and address, and Afterpay/Affirm payment plan status.

Communications: Emails you send to us or that we send to you; text messages (SMS/MMS) sent and received; call recordings (audio) of all phone calls with Survivor Protocol; AI-generated transcripts of all calls; duration and timestamp of calls; chat messages through our website or CRM; and any files, images, or documents you share with us via any communication channel.

Uploaded Medical Files: Blood work results, pathology reports, biopsy results, scan/imaging results, medical records, treatment summaries, physician letters, and any other files you upload through our intake form or send to us via email. These files may contain PHI beyond what you enter in the intake form.

B. Information Collected Automatically

When you visit our Website or interact with our emails, the following information is collected automatically:

Device and Browser Information: IP address, browser type and version, operating system, device type (desktop, mobile, tablet), screen resolution, and language preference.

Usage Information: Pages visited, time spent on each page, links clicked, scrolling behavior, referring URL (the page that brought you to us), and exit pages.

Cookies and Tracking Technologies: We use cookies and similar tracking technologies on our Website. Specifically: Essential Cookies — required for basic website functionality (session management, security), these cannot be disabled. Analytics Cookies — Google Analytics tracks website usage patterns to help us improve our services, Google's privacy policy applies (policies.google.com/privacy), you may opt out at https://tools.google.com/dlpage/gaoptout. Advertising Cookies — Meta (Facebook) Pixel and Conversions API (CAPI) track conversion events (page views, form submissions, purchases) to measure and optimize our advertising, Meta's privacy policy applies (facebook.com/privacy), these tools may collect your IP address, browser information, and on-site behavior and share it with Meta for advertising purposes, you may opt out of Meta's targeted advertising through your Facebook ad settings.

Location Information: General geographic location based on your IP address (city/state level). We do NOT collect precise GPS location data.

C. Information from Third Parties

We may receive information about you from the following sources:

Payment Processors: Transaction confirmation, payment status, and dispute/chargeback notifications from Stripe, Afterpay, and Affirm.

Advertising Platforms: Conversion data, click identifiers, and campaign attribution data from Meta (Facebook/Instagram) and Google Ads, used to measure advertising effectiveness.

Social Media: If you interact with our social media accounts (comment on posts, send direct messages, engage with ads), the platform may provide us with your public profile information and the content of your interaction.

CRM Platform: GoHighLevel may generate behavioral data based on your interactions with our emails, text messages, and scheduling system (e.g., email open rates, link clicks, appointment status).

D. Information We Do NOT Collect

We do not collect: Social Security numbers; driver's license or government ID numbers (unless you include them in uploaded medical records); health insurance policy numbers or group IDs (unless you voluntarily provide them); employer information; biometric data (fingerprints, facial recognition); precise GPS location; or information from children directly (see Section 15).


3. HOW WE USE YOUR INFORMATION

We use your information only for the purposes described below. Where applicable under GDPR, the lawful basis for each processing purpose is noted.

Protocol Generation (Lawful Basis: Contract Performance): We use your identifiers, PHI, uploaded medical files, and call recordings/transcripts to: analyze published medical literature against your specific diagnosis, biomarkers, and treatment history; generate your personalized clinical summary with cited research; generate your complete research compendium; identify clinical trials you may be eligible for based on your cancer type, stage, biomarkers, treatments, and geographic location; conduct a supplement safety audit assessing interactions between your current supplements, medications, and treatments; decode your blood work against cancer-specific published reference ranges; create a personalized nutrition plan based on published evidence; and generate a personalized AI video walkthrough that references you by name and walks through your specific findings.

Protocol Updates (Lawful Basis: Contract Performance): When you purchase a protocol update, we use your updated PHI, new call recordings/transcripts, and new uploaded files — combined with your original data — to regenerate your protocol with updated findings, safety flags, trial matches, and recommendations.

Payment Processing (Lawful Basis: Contract Performance): We use your financial information to process payments through Stripe and its partners (Afterpay, Affirm), manage refund requests, and respond to payment disputes or chargebacks. We may retain transaction records as evidence in dispute resolution.

Communications (Lawful Basis: Consent / Legitimate Interest): We use your identifiers and contact information to: deliver your protocol and video walkthrough via email; send service-related notifications (delivery confirmation, appointment reminders, follow-ups); make outbound phone calls, including calls that may be automated, pre-recorded, or use an AI-generated voice; send text messages (SMS/MMS), including automated or AI-generated messages; and send marketing and promotional communications (with your consent). Transactional communications related to your protocol delivery are sent under legitimate interest and are not subject to marketing opt-out.

Service Improvement (Lawful Basis: Legitimate Interest): We use de-identified and aggregated data to: improve the accuracy and quality of our AI research systems; conduct quality assurance reviews on delivered protocols; analyze service effectiveness and patient outcomes (in aggregate only); train and refine our protocol generation processes; and improve our website, intake form, and user experience.

Safety and Quality Assurance (Lawful Basis: Legitimate Interest): We use your PHI to: verify that supplement recommendations do not conflict with your medications or treatments; flag potential safety concerns or drug interactions; ensure clinical trial matches are appropriate for your profile; and review protocols for accuracy before or after delivery.

Fraud Prevention and Security (Lawful Basis: Legitimate Interest): We use automatically collected information (IP addresses, device data, behavioral patterns) and CRM data to: detect and prevent bot traffic, fake form submissions, and fraudulent bookings; protect the integrity of our advertising data and pixel events; investigate suspected impersonation of our brand; and protect against unauthorized access to our systems or patient data.

Legal Compliance (Lawful Basis: Legal Obligation): We use your information as necessary to: comply with applicable laws, regulations, and legal processes; respond to subpoenas, court orders, or law enforcement requests; enforce our Terms of Service; protect our rights, property, or safety; and defend against legal claims.

How We Do NOT Use Your Information: We do NOT use your information to: sell to third parties (ever); provide to data brokers or marketing companies; target you with third-party advertising unrelated to Survivor Protocol; make automated decisions about your medical care; deny you services based on your health status; discriminate against you in any way; or contact your healthcare providers without your direction.


4. AI PROCESSING OF YOUR INFORMATION

Survivor Protocol is built on artificial intelligence. Your information passes through multiple AI systems during protocol generation. This section explains exactly what that means, which systems touch your data, and what happens to your data at each step.

What "AI Processing" Means: When we say your information is "processed by AI," we mean that your health data (diagnosis, treatments, medications, supplements, blood work, symptoms, and other details from your intake form, uploaded files, and call transcripts) is submitted as input to large language model AI systems. These AI systems analyze your data against published medical literature to identify relevant research, clinical trials, supplement interactions, and other findings specific to your situation. The AI output is then compiled into your deliverables.

The AI Processing Pipeline: Your data flows through the following sequence of AI-powered steps:

Step 1 — Call Recording and Transcription: If you participate in a case review call, the call is recorded and an AI system generates a written transcript of the conversation. This transcript captures everything said on the call and is used as context for your protocol.

Step 2 — Research and Analysis: AI language models analyze your intake data, uploaded medical records, and call transcript against databases of published, peer-reviewed medical literature including PubMed, Cochrane Library, ClinicalTrials.gov, and peer-reviewed journals. The AI identifies research findings relevant to your specific diagnosis, biomarkers, and treatment history.

Step 3 — Clinical Summary Generation: AI systems compile the research findings into a formatted clinical summary document with peer-reviewed citations, evidence levels, and DOI links, designed for your oncologist to review.

Step 4 — Video Walkthrough Generation: A third-party AI video platform (HeyGen) generates a personalized video using an AI-created avatar (not a real person) and AI-synthesized voice. The video script references you by first name and walks through your specific findings. The video is hosted on HeyGen's servers and delivered to you via a unique link.

Step 5 — Delivery: Your completed protocol documents and video link are delivered to you via email.

AI Service Providers: Your PHI is transmitted to and processed by the following categories of third-party AI service providers: AI Language Model Providers (e.g., Anthropic, OpenAI, Manus AI) — process your health data to generate research findings, clinical summaries, and written content. AI Video Generation Provider (HeyGen) — receives your protocol script containing your name and findings to generate your personalized video. Workflow Automation Provider (Zapier) — transmits your data between systems in our pipeline. CRM Provider (GoHighLevel, HIPAA BAA in place) — stores your contact information, intake data, and case notes. These providers operate under their own privacy policies and terms of service. Not all of these providers are HIPAA-covered entities or have executed Business Associate Agreements with us (see Section 5 for details on our PHI protections).

AI Data Retention by Providers: We do not control how long third-party AI providers retain the data we submit to them. Some providers may retain input/output data for a limited period for abuse prevention, debugging, or service improvement purposes per their own policies. We select providers whose data handling practices we have reviewed, but we cannot guarantee that all providers delete your data immediately after processing.

AI Training: We do not authorize third-party AI providers to use your PHI to train their general-purpose AI models. Where provider terms allow us to opt out of training data usage, we do so. However, we cannot guarantee that all providers fully exclude your data from all model improvement processes.

AI-Generated Content Limitations: All content in your protocol — including research findings, citations, clinical trial matches, supplement recommendations, and video narration — is generated by AI. AI-generated content may contain errors, inaccuracies, fabricated citations, incorrect statistics, or outdated information. While we implement quality control processes, these processes are also AI-assisted and may not catch every error. You must independently verify all findings with your healthcare provider before acting on them.

Human Oversight: Our protocol generation pipeline is designed and monitored by the Survivor Protocol team. However, individual protocols may be generated and delivered without line-by-line human review of every finding and citation. Our quality assurance processes include systematic checks but do not constitute medical review by a licensed healthcare professional.

Your Consent: By using our services, you expressly consent to the AI processing of your PHI as described in this section, including transmission to the third-party AI providers listed above. If you do not consent to AI processing of your health information, do not use our services, as AI processing is integral to every aspect of our service delivery.


5. PROTECTED HEALTH INFORMATION (PHI) — NOTICE OF PRIVACY PRACTICES

Purpose and Scope: This section serves as our Notice of Privacy Practices (NPP) regarding Protected Health Information. It describes how your health information may be used and disclosed, and how you can access this information.

Survivor Protocol (Optimum Ventures LLC) is a research compilation service. While we may not meet the statutory definition of a "covered entity" under the Health Insurance Portability and Accountability Act of 1996 (HIPAA, 45 CFR 160.103), we voluntarily implement safeguards consistent with HIPAA and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act) because we believe every cancer patient's health information deserves the highest level of protection — regardless of whether the law technically requires it from us. We signed a Business Associate Agreement with our CRM provider (GoHighLevel) and implement administrative, technical, and physical safeguards modeled on the HIPAA Security Rule.

What Constitutes PHI in Our Service: In our context, Protected Health Information (PHI) means any information that both identifies you (or could reasonably be used to identify you) AND relates to your health condition, healthcare, or payment for healthcare. This includes all categories of health information described in Section 2A of this Privacy Policy when combined with your identifiers (name, email, phone number, address). Your call recordings and transcripts constitute PHI because they contain both your identity and health details discussed during the call. Your protocol documents (clinical summary, research compendium, video walkthrough) constitute PHI because they contain your name linked to your diagnosis and findings.

Permitted Uses and Disclosures: We use and disclose your PHI only for the following purposes:

Protocol Generation (analogous to "treatment operations" under HIPAA): Generating your personalized clinical summary, research compendium, video walkthrough, clinical trial matches, supplement safety audit, and nutrition plan. This is the primary reason we collect your PHI.

Payment Operations: Processing your payment through Stripe and its partners, managing refunds, and responding to chargebacks or disputes.

Service Operations: Conducting quality assurance on protocols, reviewing protocols for accuracy and safety, improving our AI systems using de-identified data, and internal training.

At Your Direction: Providing your clinical summary or protocol to your healthcare providers when you choose to share them. We will never contact your healthcare providers without your explicit direction.

Legal Compliance: Responding to valid subpoenas, court orders, or law enforcement requests as required by law (see Section 7).

Fraud Prevention: Investigating suspected interference with our systems, impersonation of our brand, or unauthorized access to patient data (see Section 7).

Prohibited Uses — We Will NEVER: sell your PHI to any third party, under any circumstances; share your PHI with data brokers or marketing companies; use your PHI for marketing unrelated to our services without your separate written authorization; share your PHI with employers, insurance companies, or underwriters; use your PHI to make decisions about your medical care (we provide research, not medical decisions); or disclose your PHI to family members, caregivers, or any other person without your authorization (unless they are the authorized submitter of your intake form).

Third-Party PHI Transmission: Your PHI is transmitted to third-party AI and automation services as described in Section 4. Not all of these providers have executed Business Associate Agreements (BAAs) or are subject to HIPAA. Our approach: Where BAAs Are Available — we execute them; our CRM platform (GoHighLevel) has a signed BAA in place as of April 2026. Where BAAs Are Not Available — we implement alternative safeguards including transmitting only the minimum PHI necessary for the specific processing step, using encrypted connections (SSL/TLS) for all data transmission, reviewing each provider's published privacy and security practices, not transmitting Social Security numbers, financial account numbers, or insurance ID numbers to AI providers, and selecting providers with enterprise-grade security practices. By using our services, you expressly consent to this transmission and acknowledge the associated risks.

Business Associate Agreements: We maintain BAAs with service providers who create, receive, maintain, or transmit PHI on our behalf where such agreements are available, in accordance with 45 CFR 164.502(e) and 164.504(e). Our BAAs require business associates to: implement appropriate safeguards to protect PHI; report any security incidents or breaches; ensure their subcontractors agree to the same restrictions; return or destroy PHI upon termination of the agreement; and make PHI available to satisfy individual rights requests.

Minimum Necessary Standard: We apply the minimum necessary standard to all uses and disclosures of your PHI. In practice, this means: our AI systems receive only the health data needed for the specific processing step; our workflow automation transmits only the fields required for each task; our video walkthrough contains only the findings relevant to your protocol; and internal access to your case files is limited to authorized personnel who require access for their specific role.

AI-Generated Video Walkthroughs: Your personalized video walkthrough contains your first name, cancer diagnosis, and specific research findings narrated by an AI avatar. This video is hosted on third-party servers (HeyGen). You acknowledge that: your PHI is embedded in the video content and cannot be separated from it; the video is accessible via a unique link that should be treated as confidential health information; you are responsible for not sharing the video link with unauthorized persons; the video hosting platform is not a HIPAA-covered entity; and we cannot guarantee the security of video content on third-party servers. You may request deletion of your video at any time by emailing [email protected].

Uploaded Medical Files: When you upload medical records, blood work, pathology reports, scans, or other files: these files are stored on our CRM platform's servers (HIPAA BAA in place); transmitted to AI processing systems for protocol generation; accessible only by authorized personnel and AI systems necessary for protocol generation; retained per the data retention schedule in Section 9; and not shared with any party other than the AI systems required to generate your protocol. We recommend retaining your own copies of all medical records you upload.

Your Rights Regarding Your PHI: You have the following rights. To exercise any right, email [email protected] with the subject line "PHI Rights Request" and include your full name, the specific right you are exercising, and enough detail for us to locate your records and fulfill your request.

Right to Access: You may request a copy of your PHI that we maintain, including intake data, call transcripts, protocol documents, and case notes. We will provide the requested information in electronic format within 30 days of your request. We may charge a reasonable cost-based fee for copies if the request is extensive. We may deny access only if the information was not created by us, is not maintained by us, or if disclosure could reasonably endanger someone's life or safety.

Right to Amendment: If you believe your PHI in our records is incorrect or incomplete, you may request an amendment in writing. We will respond within 60 days. We may deny the request if: the information was not created by us; the information is not part of our records; the information is accurate and complete as-is; or the information is not available for inspection. If we deny your request, we will provide a written explanation, and you may submit a statement of disagreement that will be attached to your record.

Right to an Accounting of Disclosures: You may request a list of disclosures of your PHI that we have made for purposes other than protocol generation, payment, or service operations within the prior six years. We will provide this accounting within 60 days. The accounting will include: the date of each disclosure, the name and address of the recipient, a description of the PHI disclosed, and the purpose of the disclosure.

Right to Request Restrictions: You may request that we restrict how we use or disclose your PHI for specific purposes. We will consider your request but are not required to agree to all restrictions. If we agree to a restriction, we will honor it unless the information is needed for emergency treatment or legal compliance.

Right to Confidential Communications: You may request that we communicate with you about your health information in a specific way or at a specific location. For example, you may request communication only by email, only to a specific phone number, or only at a specific address. We will accommodate all reasonable requests.

Right to a Copy of This Notice: You may request a paper or electronic copy of this Notice of Privacy Practices at any time by emailing [email protected].

Right to Revoke Authorization: If you have provided written authorization for a specific use or disclosure of your PHI beyond what is described in this policy, you may revoke that authorization at any time in writing. Revocation does not apply to uses or disclosures already made in reliance on the authorization.

Breach Notification: A "breach" is the acquisition, access, use, or disclosure of unsecured PHI in a manner not permitted by this policy that compromises the security or privacy of the PHI. A "security incident" is an attempted or successful unauthorized access, use, disclosure, modification, or destruction of information in our systems. In the event of a breach of unsecured PHI, we will comply with the HITECH Act (42 U.S.C. 17932) and HIPAA Breach Notification Rule (45 CFR Part 164, Subpart D): we will notify affected individuals without unreasonable delay and within 60 calendar days of discovery; notification will include a description of the breach, the types of PHI involved, steps you should take to protect yourself, what we are doing to investigate and mitigate, and contact information for follow-up questions; if a breach affects 500 or more individuals, we will also notify HHS and prominent media outlets; if a breach affects fewer than 500 individuals, we will log the breach and report to HHS annually. Security incidents that do not rise to the level of a breach (e.g., unsuccessful hacking attempts, password guessing) are logged internally and reviewed but do not trigger individual notification.

Workforce Access and Sanctions: Access to your PHI is limited to authorized personnel who require access to perform their job functions. All workforce members (including employees, contractors, and virtual assistants) who access PHI are required to: complete privacy and security training before accessing PHI; agree to written confidentiality obligations; access only the minimum PHI necessary for their specific role; and report any suspected privacy or security incidents immediately. Violations of PHI policies by workforce members result in sanctions proportional to the severity of the violation, up to and including termination and referral to law enforcement for criminal violations.

De-Identified and Aggregated Data: We may create de-identified or aggregated data from your PHI by removing all identifiers that could reasonably be used to identify you, in accordance with the HIPAA de-identification standard (45 CFR 164.514). De-identified data is no longer considered PHI and may be used for service improvement, research, and aggregate reporting (e.g., "87% of patients found clinical trial matches") without restriction.

Complaints: If you believe your privacy rights have been violated, you may: file a complaint with us at [email protected]; or file a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights, at https://www.hhs.gov/hipaa/filing-a-complaint/index.html or by calling 1-800-368-1019. We will not retaliate against you for filing a complaint. Filing a complaint will not affect your access to our services or the quality of your protocol.


6. CALL RECORDING AND COMMUNICATIONS

Call Recording

ALL phone calls with Survivor Protocol — inbound and outbound — are recorded in their entirety. Audio recordings are captured from the moment the call connects until it ends.

Florida Two-Party Consent (F.S. 934.03): Florida law requires all parties to a call to consent to recording. At the beginning of every call, you will hear a disclosure such as: "This call is being recorded and will be processed by our AI system. Is that okay with you?" Your continued participation after this disclosure constitutes your consent. If you do not consent to recording, you must disconnect immediately. If you disconnect, you may still communicate with us via email at [email protected] — however, protocol generation requires a recorded call for optimal personalization.

AI Transcription: All recorded calls are transcribed by AI systems to produce a written text record of the conversation. AI transcription captures the substance of the conversation but may not be 100% verbatim — it may contain minor errors in names, medical terminology, or background speech. The transcript is used as primary input for generating your personalized protocol.

Recording Storage and Access: Call recordings (audio) and AI-generated transcripts are stored on our CRM platform (GoHighLevel, HIPAA BAA in place) and transmitted to AI systems for protocol generation. Access to recordings is limited to authorized personnel and AI systems. Recordings are retained per the schedule in Section 9. You may request deletion of your call recordings at any time by emailing [email protected] with the subject line "Recording Deletion Request."

Types of Calls: You may receive or participate in the following types of calls: Case Review Calls — free consultations where you share your cancer story and we discuss what a full protocol would cover; Follow-Up Calls — post-purchase calls to review your protocol findings and discuss next steps; Outbound AI Calls — automated calls that may use an AI-generated voice to deliver appointment reminders, follow-up messages, or other communications; and Voicemails — messages left on your voicemail that may use an AI-generated voice and will identify themselves as being from Survivor Protocol.

Outbound Communications

By providing your phone number and/or email address to Survivor Protocol — whether through our intake form, website, scheduling system, or during a call — you expressly consent to the following:

Phone Calls: You consent to receive phone calls from Survivor Protocol, including calls that may be automated, use pre-recorded messages, or use an AI-generated voice (not a live human). AI voice calls will identify themselves as AI at the beginning of the call. Calls may come from our business phone number or from our CRM platform's calling system.

Text Messages (SMS/MMS): You consent to receive text messages from Survivor Protocol, including automated and AI-generated messages. Message types include: appointment confirmations and reminders, protocol delivery notifications, follow-up messages after calls, and marketing or promotional messages (with your consent). Message frequency varies but typically does not exceed 10 messages per month.

Email: You consent to receive emails from Survivor Protocol including: protocol delivery emails with your documents and video link, service-related notifications, follow-up communications about your case, and marketing and promotional emails (with your consent).

TCPA Compliance: Your consent to receive automated calls and text messages constitutes your "prior express written consent" under the Telephone Consumer Protection Act (TCPA, 47 U.S.C. § 227) for marketing communications, and "prior express consent" for informational and transactional communications. Consent to receive marketing communications is not a condition of purchasing our services. Message and data rates from your mobile carrier may apply.

Transactional vs. Marketing Communications

Transactional Communications: Messages directly related to your purchase and protocol delivery — including delivery confirmations, appointment reminders, payment receipts, and follow-up messages about your case. These are necessary for service delivery and you may not opt out of these while you have an active order or case.

Marketing Communications: Promotional messages about Survivor Protocol services, special offers, educational content, and other communications not directly tied to an active order. You may opt out of these at any time.

Opt-Out

You may opt out of marketing communications at any time through any of the following methods: reply STOP to any text message (you will receive a confirmation and no further marketing texts); click the unsubscribe link at the bottom of any marketing email; email [email protected] with the subject line "Opt-Out"; or tell us verbally on any phone call.

Opting out of marketing communications does NOT opt you out of transactional service communications related to your protocol delivery, active case, or account. To cease ALL communications including transactional messages, you must email [email protected] and request complete communication cessation — note that this may impact our ability to deliver your protocol or provide support.

We will process all opt-out requests within 10 business days. Due to processing time, you may receive a small number of messages after opting out.


7. WHO WE SHARE YOUR INFORMATION WITH

We do NOT sell your personal information or PHI. We have never sold personal information or PHI. We will never sell personal information or PHI. This commitment is unconditional and applies regardless of any business transfer, acquisition, dissolution, or change of ownership.

A. Service Providers: We share your information with the following categories of service providers, limited to the minimum data necessary for each provider to perform its function:

Payment Processing — Stripe, Inc. (stripe.com/privacy): Receives your payment method details, billing name/address, and transaction amount. Stripe is PCI-DSS compliant. We do not receive or store your full card numbers.

Payment Partners — Afterpay (afterpay.com/privacy) and Affirm (affirm.com/privacy): If you choose a payment plan, these providers receive your billing information and manage your installment payments under their own terms and privacy policies.

Workflow Automation — Zapier, Inc. (zapier.com/privacy): Receives your intake form data, contact information, and case status to route data between systems in our pipeline. Zapier processes data in transit and does not permanently store your PHI.

AI Language Models — Anthropic (anthropic.com/privacy), OpenAI (openai.com/privacy), Manus AI: Receive your PHI (diagnosis, treatments, medications, supplements, blood work, call transcripts) to generate research findings, clinical summaries, and written protocol content. See Section 4 for details on AI data retention and training policies.

Video Generation — HeyGen (heygen.com/privacy): Receives your protocol script (containing your first name, diagnosis, and findings) to generate your personalized video walkthrough. The video is hosted on HeyGen's servers.

CRM and Communications — GoHighLevel (gohighlevel.com/privacy): Stores your contact information, intake data, call recordings, transcripts, case notes, and communication history. HIPAA BAA in place as of April 2026.

Website Analytics — Google Analytics (policies.google.com/privacy): Receives anonymized website usage data (pages visited, time on site, referral source). Does NOT receive your PHI. You may opt out at https://tools.google.com/dlpage/gaoptout.

Advertising — Meta/Facebook (facebook.com/privacy): Receives conversion event data (page views, form submissions, purchases) through the Meta Pixel and Conversions API (CAPI) to measure and optimize our advertising. Does NOT receive your PHI, diagnosis, or health details. Receives only behavioral event data (e.g., "a purchase occurred") with hashed identifiers for matching.

B. Your Healthcare Team: We do NOT share your protocol, clinical summary, or any other information with your healthcare providers. YOU share it. We provide your protocol documents to you, and you decide whether and how to share them with your oncologist or healthcare team. We will never contact your healthcare providers on your behalf without your explicit written direction.

C. Legal Requirements: We may disclose your information, including PHI, when required by: a valid subpoena, court order, or legal process; applicable federal, state, or local law; a request from a government agency or regulator with jurisdiction; or circumstances where we reasonably believe disclosure is necessary to prevent imminent harm to life or safety.

Legal Process Protocol: If we receive a subpoena, court order, or other legal demand for your PHI: (1) we will notify you promptly unless notification is prohibited by law or court order; (2) we will provide only the minimum PHI specifically required by the legal demand; (3) we will assert available legal protections and privileges on your behalf where appropriate, including objecting to overly broad requests; (4) we will document every disclosure including the date, recipient, PHI disclosed, and legal basis; and (5) we will not voluntarily disclose your PHI to law enforcement without a valid legal demand unless there is an imminent and credible threat to life or safety.

D. Business Transfer: In the event of a merger, acquisition, reorganization, dissolution, or sale of all or substantially all assets of Optimum Ventures LLC, your information (including PHI) may be transferred to the successor entity. Any successor entity will be bound by the terms of this Privacy Policy with respect to information collected prior to the transfer. No PHI will be sold, auctioned, or transferred as a standalone business asset separate from the ongoing service obligation. If no successor entity assumes our service obligations, all PHI will be securely destroyed (see Section 11).

E. Fraud Prevention and Investigation: We may collect, retain, and share information related to suspected fraudulent, abusive, or illegal activity affecting our services — including IP addresses, device fingerprints, browser information, access logs, behavioral patterns, and communication records — with law enforcement agencies, legal counsel, advertising platforms (including Meta), internet service providers, and other parties as necessary to investigate and prosecute violations. This includes the investigation of: artificial traffic generation and bot activity; pixel manipulation and advertising fraud; brand impersonation and unauthorized use of our name; fake booking or intake form submissions; unauthorized access to our systems or patient data; and any other interference with our business operations.

F. De-Identified and Aggregate Data: We may share de-identified or aggregated data that cannot reasonably be used to identify you with research partners, industry publications, marketing materials, and the general public (e.g., "87% of patients found clinical trial matches they didn't know about"). De-identified data is not considered PHI (see Section 5).

G. Authorized Agents: If you authorize another person to make a privacy rights request on your behalf (an authorized agent), that agent must demonstrate written authorization from you or legal power of attorney. We reserve the right to verify authorization directly with you before fulfilling any agent request. Authorized agents are prohibited from using your information for any purpose other than fulfilling your request.

H. Who We Do NOT Share Your Information With: We do NOT share your information with: data brokers or data aggregation companies; marketing companies or mailing list providers; pharmaceutical companies; insurance companies or health plans; employers or potential employers; advertisers (other than hashed conversion event data to Meta for ad measurement, which contains no PHI); credit reporting agencies; or any other third party not listed in this section.


8. DATA SECURITY

We implement a security program modeled on the HIPAA Security Rule framework, consisting of administrative, technical, and physical safeguards designed to protect your information against anticipated threats.

Administrative Safeguards: Designated Security Responsibility — The Privacy Officer (Joseph Balmaceda, Managing Member) is responsible for the development and implementation of our security policies and procedures. Workforce Security — All personnel with access to PHI are required to complete privacy and security training, agree to confidentiality obligations, use unique login credentials for every system, and report suspected security incidents immediately. Access to PHI is granted on a minimum-necessary basis and revoked promptly when no longer required. Security Incident Procedures — We maintain documented procedures for identifying, responding to, and mitigating security incidents. All suspected incidents are logged, investigated, and resolved. Incidents involving PHI are assessed for breach notification requirements (see Section 5). Vendor Assessment — Before engaging any service provider who will access PHI, we review their published security practices, privacy policies, and data handling procedures. We execute Business Associate Agreements where available. We periodically reassess vendor security practices.

Technical Safeguards: Encryption in Transit — All data transmitted between your browser and our Website, between our systems and third-party providers, and between our CRM and AI systems is encrypted using SSL/TLS (Secure Sockets Layer / Transport Layer Security). Encryption at Rest — Data stored in our CRM platform (GoHighLevel) is encrypted at rest using the platform's built-in encryption capabilities. Access Controls — All systems containing PHI require unique user identification (no shared accounts), strong password requirements, and two-factor authentication (2FA) where available. Failed login attempts are monitored. Automatic Session Termination — Systems containing PHI are configured to automatically log out after periods of inactivity. Audit Controls — Our CRM platform maintains audit logs of access to patient records, including who accessed what data and when. Payment Security — All payment processing is handled by Stripe, which is PCI-DSS Level 1 compliant — the highest level of payment security certification. We never receive, process, or store your full credit card number.

Physical Safeguards: Workstation Security — Devices used to access PHI are password-protected, encrypted where technically feasible, and used in private locations. PHI is not accessed on shared or public computers. Device Controls — If a device containing or capable of accessing PHI is lost or stolen, passwords are changed immediately on all accounts, the device is remotely wiped if possible, and the incident is assessed for breach notification requirements. No Removable Media — PHI is not stored on unencrypted USB drives, external hard drives, or other removable media.

Your Responsibility: Security is a shared responsibility. We strongly recommend that you: treat your protocol documents, video walkthrough link, and call recordings as confidential health information; do not share your video walkthrough link publicly or on social media; use a secure, private email address for all communications with us; do not send PHI via unsecured channels such as social media direct messages; and keep your own copies of all documents and files you upload to us.

Limitations: No method of electronic transmission or storage is 100% secure. While we implement commercially reasonable security measures consistent with industry standards and the HIPAA Security Rule framework, we cannot guarantee absolute security of your data. We are not liable for breaches caused by: your own failure to protect your credentials or devices; third-party provider security failures beyond our reasonable control; force majeure events (natural disasters, government actions, infrastructure failures); or criminal activity by third parties despite our reasonable security measures. If we become aware of a security breach affecting your personal information or PHI, we will notify you and applicable authorities as required by law (see Section 5, Breach Notification).


9. DATA RETENTION

We retain your information only as long as necessary to fulfill the purposes described in this Privacy Policy, comply with legal obligations, and protect our legitimate interests. Below is our retention schedule with the legal basis for each period.

Intake Data, Medical Records, and Protocols: Retained for the duration of our service relationship (from your first purchase through your last interaction with us) plus 6 years. The 6-year post-service retention period aligns with 45 CFR 164.530(j), which requires HIPAA-related documentation to be retained for 6 years from the date of creation or last effective date. This retention also enables us to provide protocol updates if you return for updated research. At the end of this period, data is reviewed and securely deleted unless a legal hold or ongoing obligation requires further retention.

Call Recordings (Audio): Retained for the duration of our service relationship plus up to 1 year for quality assurance and dispute resolution. Audio recordings are securely deleted after the retention period expires.

Call Transcripts (AI-Generated Text): Retained on the same schedule as intake data (service relationship plus 6 years) because transcripts are integral to your protocol and any future updates.

Video Walkthroughs: Your personalized video is hosted on HeyGen's servers for as long as the link remains active. We do not control HeyGen's retention policies. You may request that we delete the video from HeyGen at any time (see Section 10). Once deleted, the video link will no longer function.

Uploaded Medical Files: Retained on the same schedule as intake data (service relationship plus 6 years). We recommend maintaining your own copies of all files you upload.

Payment Records: Retained for 7 years as required by IRS regulations and applicable tax and financial record-keeping laws.

Breach and Compliance Records: Retained for 6 years from the date of creation, per 45 CFR 164.530(j).

Marketing Consent Records: Retained for the duration of your consent plus 3 years after withdrawal to demonstrate compliance with TCPA, CAN-SPAM, and applicable consent requirements.

Website Usage Data: Aggregated, anonymized usage data may be retained indefinitely. Individual-level usage data (IP addresses, browsing behavior) is retained for up to 2 years.

Third-Party Provider Retention: We do not control the retention periods of third-party providers (AI language models, video hosting, payment processors). Each provider retains data according to their own privacy policies. We select providers with reasonable retention practices but cannot guarantee that your data is deleted from their systems on any specific timeline (see Section 4, AI Data Retention by Providers).


10. DATA DELETION

Your Right to Request Deletion: You may request deletion of your personal information and PHI at any time by emailing [email protected] with the subject line "Data Deletion Request." Include your full name and the email address associated with your account so we can locate your records.

Identity Verification: Before processing a deletion request, we may verify your identity by confirming information you previously provided to us. This protects against unauthorized deletion requests.

What We Delete: Upon receiving a verified deletion request, we will delete the following from systems under our direct control within 30 days: your intake form data and medical records from our CRM (GoHighLevel); your call recordings (audio) from our CRM; your AI-generated call transcripts from our CRM; your case notes and internal documentation; your protocol files (clinical summary, research compendium) from our systems; and your contact information from active marketing lists.

Video Walkthrough Deletion: We will submit a deletion request to HeyGen to remove your personalized video. Once processed, your video link will no longer function. We cannot guarantee the exact timeline of deletion from HeyGen's servers.

What We Cannot Delete: We cannot guarantee deletion from third-party AI providers (Anthropic, OpenAI, Manus AI) where your data may have been processed and retained per their own policies, though we will make reasonable efforts to request deletion where provider mechanisms exist. We also cannot delete: copies of your protocol that were already delivered to you (those are on your devices and under your control); payment records required to be retained by tax law (7 years); breach logs and compliance documentation required by law (6 years); records necessary to fulfill an ongoing legal obligation or defend against legal claims; or de-identified, aggregated data that cannot reasonably be linked back to you.

Partial Deletion: You may request partial deletion — for example, deleting your call recordings while retaining your protocol documents, or deleting your marketing contact information while retaining your case files. Specify what you want deleted in your request.

Deletion After Refund: If you receive a refund, your PHI will be retained for 30 days following the refund in case of payment disputes or chargebacks, after which it will be deleted unless you request earlier deletion or legal retention requirements apply.

Confirmation: We will confirm deletion in writing within 30 days of your request, specifying: what was deleted, what could not be deleted and the legal basis for retention, and any third-party deletion requests submitted on your behalf.

Irreversibility: Once your data is deleted, it cannot be recovered. If you later wish to purchase a new protocol, you will need to complete a new intake form and provide all information again.


11. BUSINESS CONTINUITY AND DATA DISPOSITION

We recognize that your PHI must be protected not only during our active operations but also in the event that Optimum Ventures LLC undergoes a change in ownership or ceases to exist.

If Business Continues Under New Ownership: In the event of a merger, acquisition, reorganization, or sale of all or substantially all assets, your information (including PHI) may be transferred to the successor entity. The successor will be bound by the terms of this Privacy Policy for all information collected prior to the transfer. We will notify you via email within 30 days of any such transfer, identifying the successor entity and providing instructions for exercising your privacy rights with the new owner.

If Business Ceases Without a Successor: If Optimum Ventures LLC ceases operations, dissolves, or winds down without a successor entity assuming our service obligations, the following data disposition plan will be executed within 90 days of the decision to cease operations: all PHI in systems under our direct control (CRM, email, file storage) will be securely destroyed using industry-standard data destruction methods (secure deletion, overwriting, or physical destruction as appropriate); deletion requests will be submitted to all third-party providers (HeyGen, AI providers) for any stored patient data; affected individuals will be notified via email at their last known address, informing them that the business has ceased and their data has been or will be destroyed; and a certification of destruction will be documented and retained by the managing member or designated successor for a minimum of 6 years.

Unconditional Commitment: Under no circumstances will PHI be sold, auctioned, licensed, or transferred as a standalone business asset separate from the ongoing service obligation. This commitment survives any dissolution, bankruptcy, or liquidation of Optimum Ventures LLC.


12. CALIFORNIA CONSUMER PRIVACY ACT (CCPA)

This section applies to California residents and supplements the rest of this Privacy Policy with information required by the California Consumer Privacy Act (Cal. Civ. Code § 1798.100 et seq.).

Categories of Personal Information Collected: In the preceding 12 months, we have collected the following categories of personal information from California residents: Identifiers (name, email, phone, address, IP address); Personal information under Cal. Civ. Code § 1798.80(e) (name, address, telephone number, credit card number); Health information (cancer diagnosis, treatment history, medications, supplements, blood work, and other medical details as described in Section 2); Commercial information (products or services purchased, transaction history); Internet or electronic network activity (browsing history, search history, interactions with our website and emails); Geolocation data (general location based on IP address); and Audio, electronic, or similar information (call recordings, voicemails).

Sources of Personal Information: Directly from you (intake forms, calls, emails, purchases); automatically from your devices (cookies, pixel, analytics); and from third parties (payment processors, advertising platforms).

Business Purpose for Collection: All personal information is collected for the purposes described in Section 3 of this Privacy Policy, including protocol generation, payment processing, communications, service improvement, safety, fraud prevention, and legal compliance.

Sale of Personal Information: We do NOT sell personal information. We have NOT sold personal information in the preceding 12 months. We will NOT sell personal information in the future. We do not share personal information for cross-context behavioral advertising as defined by the CCPA.

Your California Rights: Right to Know — Up to two times per year, you may request that we disclose: the categories and specific pieces of personal information we have collected about you; the categories of sources from which we collected it; the business or commercial purpose for collecting it; the categories of third parties with whom we share it; and the specific pieces of personal information we have collected about you. Right to Delete — You may request that we delete personal information we have collected from you, subject to certain exceptions (see Section 10). Right to Correct — You may request that we correct inaccurate personal information. Right to Non-Discrimination — We will not discriminate against you for exercising any of these rights. We will not deny you services, charge different prices, provide a different quality of service, or suggest that you will receive any of these as a result of exercising your rights.

How to Exercise Your California Rights: Email [email protected] with the subject line "CCPA Request." Include your full name and specify which right you are exercising. We will verify your identity before fulfilling your request. We will respond within 45 days of receiving your verified request, with one 45-day extension if reasonably necessary (we will notify you of any extension).

Authorized Agents: You may designate an authorized agent to submit a request on your behalf. The agent must provide written authorization from you or a valid power of attorney. We may still require you to directly verify your identity (see Section 7G).


13. VIRGINIA RESIDENTS

This section applies to Virginia residents under the Virginia Consumer Data Protection Act (Virginia Code § 59.1-575 et seq.).

Your Virginia Rights: Right to Access — confirm whether we are processing your personal data and access that data. Right to Correct — correct inaccuracies in your personal data. Right to Delete — delete personal data you have provided or that we have obtained about you. Right to Data Portability — obtain a copy of your personal data in a portable, readily usable format. Right to Opt Out — opt out of the processing of your personal data for targeted advertising, sale of personal data (we do not sell), or profiling in furtherance of decisions that produce legal or similarly significant effects.

How to Exercise Your Virginia Rights: Email [email protected] with the subject line "Virginia Privacy Request." We will respond within 45 days. Right to Appeal — If we decline your request, you may appeal by emailing [email protected] with the subject line "Virginia Privacy Appeal." We will respond to your appeal within 60 days. If we deny your appeal, you may contact the Virginia Attorney General at https://www.oag.state.va.us/consumer-protection/index.php/file-a-complaint.


14. GDPR (EU/EEA/UK RESIDENTS)

This section applies to individuals located in the European Economic Area (EEA), European Union (EU), or United Kingdom (UK) and supplements the rest of this Privacy Policy with information required by the General Data Protection Regulation (GDPR) and the UK General Data Protection Regulation (UK-GDPR).

Data Controller: Optimum Ventures LLC is the data controller responsible for your personal data. Contact details are provided in Section 18.

Lawful Basis for Processing: We process your personal data on the following legal bases: Consent — for marketing communications, call recording, and AI processing of your health data (you may withdraw consent at any time without affecting the lawfulness of processing before withdrawal); Contract Performance — for generating your protocol, processing payment, and delivering your services; Legitimate Interest — for service improvement, fraud prevention, security, and quality assurance (we have assessed that these interests do not override your fundamental rights); and Legal Obligation — for compliance with applicable laws and regulations.

Your GDPR Rights: Right to Information — you have the right to be informed about how we process your personal data (this Privacy Policy fulfills that obligation). Right of Access — request a copy of your personal data. Right to Rectification — request correction of inaccurate data. Right to Erasure ("Right to Be Forgotten") — request deletion of your data, subject to legal retention requirements. Right to Restrict Processing — request that we limit how we use your data. Right to Data Portability — receive your data in a structured, commonly used, machine-readable format. Right to Object — object to processing based on legitimate interest or for direct marketing purposes. Right Not to Be Subject to Automated Decision-Making — you have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. We do not make automated decisions about your medical care; our AI generates research information that you and your healthcare provider use to make decisions.

Cross-Border Data Transfers: Your personal data is transferred to and processed in the United States, which has not received an adequacy decision from the European Commission. We transfer data using appropriate safeguards as permitted by Article 46 of the GDPR, including standard contractual clauses where available.

How to Exercise Your GDPR Rights: Email [email protected] with the subject line "GDPR Request." We will respond without undue delay and within 30 days. If we cannot fulfill your request, we will explain the reason and inform you of your right to lodge a complaint.

Right to Lodge a Complaint: You may lodge a complaint with your local data protection authority. A list of EU data protection authorities is available at https://ec.europa.eu/newsroom/article29/items/612080. For UK residents, contact the Information Commissioner's Office (ICO) at https://ico.org.uk.


15. CHILDREN'S PRIVACY

Our services are designed for adults aged 18 and older. Minors under 18 may not create accounts, submit intake forms, make purchases, or otherwise use our services directly.

Minor Patients: We recognize that cancer affects patients of all ages, including children. A parent or legal guardian may submit an intake form and purchase a protocol on behalf of a minor patient. In such cases, the parent or legal guardian represents and warrants that they have legal authority to consent to the collection and AI processing of the minor's health information, they are providing accurate information about the minor's diagnosis and treatment, and they understand that the minor's PHI will be processed by AI systems and third-party services as described in this Privacy Policy.

Information collected about minor patients is subject to the same protections, retention policies, and rights described throughout this Privacy Policy. The parent or legal guardian may exercise all privacy rights (access, amendment, deletion, etc.) on behalf of the minor patient.

Children Under 13 (COPPA): We comply with the Children's Online Privacy Protection Act (COPPA). We do not knowingly collect personal information directly from children under 13 through our website. If a parent or guardian submits information on behalf of a child under 13 for protocol generation, that submission constitutes verifiable parental consent under COPPA. Parents may review, request deletion of, or refuse further collection of their child's information at any time by contacting [email protected].

If you believe a minor has submitted personal information directly to our services without parental authorization, contact [email protected] and we will delete it promptly.


16. TESTIMONIALS AND CASE STUDIES

We will never use your name, likeness, diagnosis, or story in any marketing, testimonial, case study, or promotional material without your separate, explicit written authorization. Any such authorization will clearly describe the specific use, the medium (website, social media, print, etc.), and the duration of the authorized use. You may revoke any testimonial authorization at any time by emailing [email protected], and we will remove the testimonial within 30 days.

De-identified, aggregated data may be used without individual authorization where no individual is reasonably identifiable (e.g., "87% of patients found clinical trial matches" or "our protocols have identified an average of 12 findings per patient").


17. CHANGES TO THIS POLICY

We may update this Privacy Policy from time to time to reflect changes in our services, legal requirements, or business practices.

How We Notify You: For material changes (changes that affect how we collect, use, or share your PHI, or that reduce your rights), we will notify you via email at the address associated with your account at least 30 days before the changes take effect and post a prominent notice on our Website. For non-material changes (formatting, clarifications, or updates that do not substantively change your rights or our practices), we will update the Privacy Policy on our Website with a new "Last Updated" date. Changes take effect on the date specified in the notice or, for non-material changes, upon posting.

Your Options: Your continued use of our services after changes take effect constitutes your acceptance of the updated Privacy Policy. If you do not agree with the changes, you must stop using our services and may request deletion of your data (see Section 10). Material changes do not apply retroactively to information collected before the change, unless you provide affirmative consent.

Prior Versions: Prior versions of this Privacy Policy are available upon request by emailing [email protected].


18. CONTACT

For questions about this Privacy Policy, to exercise any privacy right, or to file a complaint:

Optimum Ventures LLC
Attn: Privacy Officer (Joseph Balmaceda)
3613 Pomerol Drive, Unit 101
Wellington, FL 33414

Email: [email protected]
Phone: (561) 350-6949

For HIPAA-related complaints, you may also contact:
U.S. Department of Health and Human Services
Office for Civil Rights
https://www.hhs.gov/hipaa/filing-a-complaint/index.html
Phone: 1-800-368-1019

For California residents, you may also contact:
California Attorney General
https://oag.ca.gov/contact/consumer-complaint-against-business-or-company

For Virginia residents, you may also contact:
Virginia Attorney General
https://www.oag.state.va.us/consumer-protection/index.php/file-a-complaint

For EU/EEA residents, contact your local data protection authority:
https://ec.europa.eu/newsroom/article29/items/612080

For UK residents, contact the Information Commissioner's Office:
https://ico.org.uk