Privacy Policy

The following capitalized terms, wherever used in this Privacy Policy (the “Policy”), shall have the meanings ascribed to them below. Where context requires, words importing the singular include the plural and vice versa, and words importing any gender include all genders. References to a statute or regulation include all amendments thereto and successor legislation. References to sections are references to sections of this Policy unless otherwise indicated.

This Policy constitutes the legally binding privacy notice of NewVita Property Group and governs the collection, use, storage, disclosure, transfer, and protection of Personal Information in connection with (a) the Website; (b) the Services; (c) all communications between NewVita and Data Subjects; and (d) any future client portals, employee portals, payment platforms, or other digital properties operated by NewVita, whether now existing or hereafter developed (collectively, the “Platforms”). This Policy applies to all Data Subjects whose Personal Information is Processed by NewVita, regardless of the jurisdiction in which such Data Subjects are located, subject to the jurisdiction-specific provisions set out in Section 17.

NewVita is committed to Processing Personal Information in a manner that is lawful, fair, transparent, and consistent with all Applicable Privacy Law. Nothing in this Policy shall be construed to limit or waive any right conferred upon a Data Subject under Applicable Privacy Law; to the extent any mandatory right or protection under Applicable Privacy Law is not specifically addressed herein, such rights and protections are incorporated by reference and shall be enforceable against NewVita to the same extent as if expressly set out in this Policy.

By accessing or using the Website, by submitting Personal Information through any NewVita channel, or by engaging the Services, a Data Subject acknowledges notice of this Policy and of the Purposes for which their Personal Information is Processed. For greater certainty, this acknowledgment of notice does not, in and of itself, constitute consent to any specific Processing activity for which consent is required as the lawful basis under Applicable Privacy Law, including without limitation the GDPR, UK GDPR, PIPL, DPDPA, and equivalent instruments. Where consent is the applicable lawful basis, NewVita shall seek and obtain that consent separately, specifically, and by affirmative act, prior to commencing the relevant Processing activity, and shall maintain records of all such consents, including the date, means, and scope of consent obtained, in accordance with Applicable Privacy Law. A Data Subject’s continued use of the Website or engagement of the Services following Material Amendments to this Policy (as defined in Section 21) shall constitute acceptance of the amended Policy, subject to the non-retroactivity provisions of Section 21.

Where a Data Subject withdraws consent to any Processing activity for which consent is the lawful basis, NewVita shall cease the relevant Processing promptly following receipt of a valid withdrawal request. Withdrawal of consent does not affect the lawfulness of Processing that occurred on the basis of that consent prior to its withdrawal. Data Subjects are advised that withdrawal of consent to essential Processing activities may limit or preclude NewVita’s ability to continue delivering the Services, and NewVita shall notify the Data Subject of any such consequence at or before the time of processing the withdrawal request.

The Data Controller responsible for Personal Information Processed in connection with the Website and Services is NewVita Property Group, a sole proprietorship duly registered and operating in Edmonton, Alberta, Canada. For the purposes of the GDPR and UK GDPR, NewVita Property Group is the “controller” within the meaning of those instruments. For the purposes of PIPEDA and Alberta PIPA, NewVita Property Group is the “organization” responsible for Personal Information under its custody and control. Equivalent controller or organization designations apply, mutatis mutandis, under all other Applicable Privacy Law.

NewVita has designated a Privacy Officer responsible for overseeing compliance with this Policy and with Applicable Privacy Law. All privacy-related inquiries, access requests, correction requests, withdrawal of consent, and formal complaints shall be directed to the Privacy Officer at the contact information set out below and, in greater detail, in Section 23.

NewVita collects only such Personal Information as is reasonably necessary for the Purposes identified in Section 5. The following describes the categories of Personal Information collected, the context in which each category is collected, and any applicable limitations or conditions. NewVita does not collect Personal Information by deceptive or misleading means, and collects such information only by fair and lawful means.

4.1 — Information Provided Directly by Data Subjects

When a Data Subject contacts NewVita, books a consultation, submits a service request, or otherwise interacts with NewVita’s channels, NewVita may collect the following, including but not limited to:

• Full legal name and preferred name or alias
• Email address and telephone number(s)
• Property address(es) subject to the Services, including civic address, legal description, and any relevant identifying details
• Description of the Data Subject's property situation, service requirements, or special instructions
• Photographs, video, or other media content voluntarily submitted by the Data Subject
• Consultation scheduling preferences, including preferred date, time, and communication format
• Payment and billing information, including credit card or bank account details (collected only when payment processing is activated on the Platforms, as further described in Section 7)
• All written and electronic communications transmitted to NewVita through any channel, including email, contact forms, and messaging applications

4.2 — Information Collected Automatically

When a Data Subject accesses the Website, NewVita’s hosting and infrastructure providers automatically receive and log certain technical information as a standard and necessary incident of internet communications, including but not limited to: IP address and derived approximate geographic region; browser type, version, and language preference; device type, operating system, and screen resolution; uniform resource locators (URLs) of pages visited, time spent on each page, and exit page; referring URL; and the date, time, and duration of each server request. This information is collected by Vercel (website hosting) and Cloudflare (CDN and security infrastructure) and is subject to the terms of Section 7 (international transfers) and Section 11 (cookies and tracking).

4.3 — Service Delivery Data

In the direct course of providing the Services, NewVita collects and generates Service Delivery Data, which may include, without limitation: timestamped photographs and video recordings of property exteriors, interiors, and surrounding environs; aerial drone footage and associated imagery; written inspection checklists, condition assessments, and maintenance observations; property access credentials, including but not limited to alarm codes, lockbox combinations, and key custody records; information about Authorized Representatives, contractors, tradespeople, and other third parties present at or otherwise connected to the property in connection with the Services; executed service authorizations, written instructions, and engagement records; and the complete history of visits, reports, and correspondence arising from the engagement. Service Delivery Data is generated solely in furtherance of the authorized Services and is held subject to the strict confidentiality obligations set out in Section 6.

Important Limitation — Temporal Scope of Service Delivery Data: All Service Delivery Data — including without limitation inspection photographs, condition assessments, written reports, and video recordings — reflects the condition of the property exclusively at the time of each individual authorized visit. NewVita makes no representation or warranty, express or implied, as to the condition, security, safety, or status of any property at any time other than during the specific scheduled or authorized visit at which the Service Delivery Data was generated. No Service Delivery Data shall be construed as a guarantee, certification, or ongoing attestation of property condition, structural integrity, occupancy status, or security, and NewVita assumes no liability for events, changes, damage, or losses occurring between visits or outside the scope of an authorized engagement.

4.4 — Special Categories of Personal Information

NewVita does not intentionally solicit, collect, or Process Sensitive Personal Information, including but not limited to health data, racial or ethnic origin, religious beliefs, biometric identifiers, or financial account credentials, in the ordinary course of its operations. Notwithstanding the foregoing, NewVita acknowledges that, in isolated circumstances — such as estate administration engagements, insurance-related documentation, or Client-initiated disclosure — Sensitive Personal Information may be incidentally received. In all such cases, NewVita shall: (a) Process such information only to the extent strictly necessary for the specific Purpose for which it was received; (b) apply heightened safeguards commensurate with the sensitivity of the information; (c) not retain such information beyond the operational necessity of the specific engagement; and (d) where required by Applicable Privacy Law, obtain explicit consent prior to any further Processing. Data Subjects are advised not to submit Sensitive Personal Information to NewVita unless it is directly relevant to and necessary for the Services requested.

4.5 — Information About Third Parties

In the course of engaging the Services, Clients may provide NewVita with Personal Information relating to third parties, including but not limited to family members, co-owners, beneficiaries, contractors, tenants, or other Authorized Representatives. By providing such Personal Information, the Client represents and warrants that: (a) the Client has the requisite authority, consent, or legal basis to disclose such Personal Information to NewVita; (b) the relevant third parties have been informed of this Policy or have otherwise provided any consent required under Applicable Privacy Law; and (c) such disclosure does not violate any applicable law, contractual obligation, or duty of confidence owed to the third party. NewVita shall Process Personal Information about third parties only to the extent strictly necessary to deliver the Services authorized by the Client.

NewVita Processes Personal Information solely for specified, explicit, and legitimate purposes (the “Purposes”) and does not further Process Personal Information in a manner that is incompatible with those Purposes. The Purposes, together with the applicable lawful basis under the GDPR and UK GDPR, are set out below. Data Subjects in jurisdictions other than the EU/EEA and UK should note that the applicable lawful basis may differ under their local Applicable Privacy Law; NewVita shall comply with such local requirements to the extent applicable.

Where NewVita relies on legitimate interests as the lawful basis for Processing, NewVita has assessed that such interests are not overridden by the fundamental rights and freedoms of the relevant Data Subjects, having regard to the reasonable expectations of those Data Subjects in the context of the Services. A record of NewVita’s legitimate interests assessment is available upon written request to the Privacy Officer.

NewVita does not sell, rent, trade, barter, or otherwise transfer Personal Information to any third party for that party’s own marketing, advertising, or commercial purposes, whether for valuable consideration or otherwise. NewVita discloses Personal Information only in the circumstances and to the extent described in this Section 6. In all cases, disclosure is limited to the minimum information necessary to accomplish the stated purpose, consistent with the principle of data minimization.

6.1 — Service Delivery Disclosures

NewVita may disclose Personal Information — including property details, service instructions, and contact information — to contractors, tradespeople, insurance adjusters, legal professionals, or other service providers engaged on a Client’s behalf and at a Client’s explicit direction. Any such disclosure: (a) occurs solely on the authority of the Client’s written instruction or documented electronic authorization (email, messaging platform, or other written record); (b) is limited to the Personal Information strictly necessary to perform the specific task; and (c) is subject to appropriate confidentiality expectations. NewVita shall not share Service Delivery Data or property access credentials with any third party in the absence of explicit written Client authorization or a legal obligation to do so. For greater certainty, oral or telephone instructions alone shall not constitute sufficient authority for the disclosure of property access credentials, Service Delivery Data, or any Personal Information beyond basic scheduling confirmation; all such disclosures require documented authorization that can be retained in the engagement record.

6.2 — Service Provider Disclosures

NewVita engages third-party Service Providers who Process Personal Information on NewVita’s behalf under contractual data processing obligations. Such disclosures are subject to the terms of Section 7 and the processor details set out therein. NewVita remains responsible, as Data Controller, for the lawful handling of Personal Information by its Service Providers and shall take reasonable steps to ensure that each Service Provider maintains appropriate technical and organizational safeguards.

6.3 — Legally Required Disclosures

Notwithstanding any other provision of this Policy, NewVita may disclose Personal Information where required to do so by a valid court order, subpoena, search warrant, regulatory demand, or other lawful governmental or quasi-governmental authority having jurisdiction over NewVita or the relevant Personal Information. Where NewVita is legally permitted to do so, NewVita shall notify the affected Client or Data Subject prior to or promptly following such disclosure, and shall disclose no more Personal Information than is strictly required to comply with the applicable legal obligation.

6.4 — Disclosures in Connection with Business Transfers

In the event of a sale, assignment, amalgamation, merger, reorganization, acquisition, or other disposition of all or a material part of NewVita’s business or assets (each, a “Business Transfer”), Personal Information held by NewVita may be transferred to the acquiring or successor entity as part of that transaction. Prior to or promptly following the completion of any such Business Transfer, NewVita shall provide affected Data Subjects with notice of the transfer and of any material changes to this Policy that result from it, by means consistent with Section 21 (Amendments). Data Subjects in applicable jurisdictions shall retain all rights under Applicable Privacy Law with respect to their Personal Information following any Business Transfer.

6.5 — Prohibition on Sale of Personal Information

For greater certainty, and without limiting the generality of the foregoing: NewVita does not, and shall not, sell, share for cross-context behavioral advertising purposes, or otherwise transfer Personal Information for valuable consideration to any third party. This prohibition applies regardless of the jurisdiction of the Data Subject and is not subject to opt-out; it is an absolute constraint on NewVita’s operations.

6.6 — Third-Party Websites and External Links

The Website and this Policy may contain hyperlinks to third-party websites, platforms, or resources that are not owned or operated by NewVita, including without limitation the privacy policy links set out in Section 7. Such links are provided for convenience only. NewVita makes no representation or warranty as to the privacy practices, policies, or security of any third-party website and expressly disclaims all responsibility and liability for the collection, use, or disclosure of Personal Information by such third parties. Data Subjects are advised to review the privacy policy of any third-party website before submitting Personal Information thereto.

NewVita engages the following Service Providers to Process Personal Information on its behalf in connection with the operation of the Website and the delivery of the Services. Each Service Provider is engaged under contractual terms that require the Processing of Personal Information only on NewVita’s instructions, for the specific function identified, and subject to security and confidentiality obligations consistent with Applicable Privacy Law. NewVita has assessed each Service Provider’s security posture prior to engagement and shall reassess periodically or upon material change to the Service Provider’s practices. Each Service Provider receives the minimum Personal Information necessary to perform its designated function, and no more.

NewVita operates from Edmonton, Alberta, Canada and provides the Services to Clients located in jurisdictions worldwide. Accordingly, Personal Information collected through the Website and in connection with the Services may be transferred to, stored in, and Processed in Canada and in other countries where NewVita’s Service Providers maintain infrastructure, including without limitation the United States. By using the Website or engaging the Services, Data Subjects acknowledge that their Personal Information may be transferred outside their jurisdiction of residence to a country that may not provide a level of Personal Information protection equivalent to that of their home jurisdiction.

In all cases of cross-border Personal Information transfer, NewVita shall ensure that appropriate safeguards are in place prior to the transfer, consistent with the requirements of Applicable Privacy Law. The specific safeguards applicable to Data Subjects in particular jurisdictions are described below.

EU/EEA and UK Residents

Canada currently holds a European Commission adequacy decision in respect of organizations subject to PIPEDA (Commission Decision C(2002) 4539), which facilitates transfers of personal data from the EU/EEA to NewVita in Canada without the need for additional transfer mechanisms. In the event that the European Commission’s adequacy decision for Canada is suspended, revoked, modified, or otherwise rendered unavailable for any reason — whether by legislative change, judicial decision, regulatory action, or any other cause — NewVita shall promptly implement alternative lawful transfer mechanisms for onward transfers of EU/EEA Personal Data, including without limitation Standard Contractual Clauses (“SCCs”) as then approved by the European Commission, binding corporate rules, or such other mechanism as is available under the GDPR at the time. NewVita shall notify affected Data Subjects of any material change to the applicable transfer mechanism in accordance with Section 21. For transfers by NewVita to Service Providers operating in the United States or other third countries lacking an adequacy decision, NewVita relies upon SCCs as approved by the European Commission or the UK Information Commissioner’s Office, as applicable, or such other approved transfer mechanisms as may be available under the GDPR or UK GDPR at the time of transfer. NewVita further confirms that it will conduct, and has conducted, a transfer impact assessment (“TIA”) as appropriate with respect to transfers to third countries, and shall make the results of any such assessment available to the competent supervisory authority upon request. Copies of applicable transfer safeguards are available from the Privacy Officer upon written request.

Chinese Residents

NewVita Processes Personal Information relating to Data Subjects in the People’s Republic of China in accordance with the Personal Information Protection Law (PIPL, effective November 1, 2021) and its associated regulations. Cross-border transfers of Personal Information originating in China shall be conducted only with the Data Subject’s prior separate and explicit consent, and subject to any applicable security assessment, standard contract filing, or certification requirements under PIPL and the implementing rules of the Cyberspace Administration of China (“CAC”), as applicable based on the volume and sensitivity of the Personal Information transferred. Data Subjects in China who object to the transfer of their Personal Information outside of China are advised to contact the Privacy Officer prior to engaging the Services.

UAE Residents

NewVita Processes Personal Information relating to Data Subjects in the United Arab Emirates in accordance with UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (“UAE PDPL”) and its implementing regulations. Cross-border transfers of Personal Information originating in the UAE shall be effected only to jurisdictions that provide an equivalent level of protection or, failing that, subject to appropriate contractual safeguards approved by the UAE Data Office.

Indian Residents

NewVita acknowledges the applicability of India’s Digital Personal Data Protection Act, 2023 (“DPDPA”) to the Processing of Personal Information of Data Subjects located in India. Cross-border transfers of Personal Information of Indian Data Subjects shall be effected in accordance with the restrictions and safeguards prescribed under the DPDPA and its implementing rules, as and when such rules are finalized and come into force. NewVita will update this Policy as India’s implementing regulations are published.

All Other Jurisdictions

For Data Subjects located in jurisdictions not specifically addressed above, cross-border transfers of Personal Information shall be conducted in a manner consistent with Applicable Privacy Law in the relevant jurisdiction, including the use of contractual protections or other safeguards as required. Data Subjects with questions regarding the transfer of their Personal Information outside their home jurisdiction are invited to contact the Privacy Officer at privacy@newvita.ca.

NewVita retains Personal Information only for so long as is reasonably necessary to fulfill the Purposes for which it was collected, and in any event for no longer than the applicable Retention Period as set out herein, subject to any legal, regulatory, contractual, or legitimate operational requirement that mandates or justifies a longer period. Upon expiry of the applicable Retention Period, Personal Information shall be securely destroyed, erased, or irreversibly anonymized, in a manner appropriate to the form and sensitivity of the information.

Notwithstanding a Data Subject’s request for deletion pursuant to Section 22, NewVita shall retain Personal Information that it is legally required to retain for the duration of the applicable mandatory Retention Period. Where a deletion request is received and NewVita is unable to fully comply due to a mandatory legal retention obligation, NewVita shall: (a) notify the Data Subject in writing of the specific categories and basis for which deletion cannot be performed; (b) take all reasonable steps to restrict the Processing of such retained information to the minimum necessary to satisfy the legal obligation; and (c) destroy the information promptly upon expiry of the mandatory retention period. Data Subjects are advised to maintain independent copies of all documentation they may require for insurance, legal, estate, or financial purposes, particularly where such documentation derives from NewVita-generated Service Delivery Data, as NewVita’s obligation to retain that information may expire independently of the Data Subject’s own requirements.

De-identified and Aggregated Data: Notwithstanding any deletion, erasure, or destruction request submitted under this Section or Section 22, NewVita shall have no obligation to delete, de-identify, or destroy any information that has been irreversibly anonymized or aggregated in a manner that renders it impossible to identify, directly or indirectly, any natural person, including the requesting Data Subject. Data that has been subjected to robust anonymization techniques that meet or exceed the standards required under Applicable Privacy Law shall no longer constitute Personal Information and falls outside the scope of data subject rights obligations. Such anonymized or aggregated data may be retained indefinitely by NewVita for lawful analytical, operational improvement, statistical, or business intelligence purposes.

NewVita implements reasonable and appropriate technical, administrative, and physical safeguards designed to protect Personal Information against unauthorized access, disclosure, loss, alteration, destruction, or misuse, having regard to the sensitivity of the information, the nature of the Services, and the risks that would result from a breach. Such safeguards include, without limitation: encryption in transit via HTTPS/TLS for all communications to and from the Website; strict access controls limiting access to Personal Information to authorized personnel who require it to perform their specific functions; encrypted storage media for operational data pending migration to encrypted cloud infrastructure; confidentiality protocols governing the handling of property access credentials, which are never disclosed except as specifically authorized by the Client; and documented incident response procedures as described below.

No method of electronic transmission or storage is completely secure, and NewVita does not warrant that Personal Information will be free from unauthorized access in all circumstances. Where NewVita becomes aware of a security incident that results in, or is reasonably likely to result in, unauthorized access to, disclosure of, or loss of Personal Information that poses a real risk of significant harm to affected Data Subjects, NewVita shall take prompt steps to contain and investigate the incident, and shall notify affected Data Subjects and applicable regulatory authorities within the statutory timeframes set out below. Data Subjects who have reason to believe that their Personal Information held by NewVita has been compromised should contact the Privacy Officer immediately at privacy@newvita.ca.

With respect to Personal Information held or Processed by Service Providers, NewVita acknowledges that security incidents may occur within systems operated by those third parties, including without limitation hosting providers, email delivery platforms, and scheduling services. In such circumstances, NewVita’s liability is subject to the limitations set out in Section 18 and the terms of its agreements with the relevant Service Provider. NewVita shall, upon becoming aware of a Service Provider security incident affecting Personal Information, take all reasonable steps within its control to mitigate harm, notify affected Data Subjects as required, and, where appropriate, terminate or modify its engagement with the affected Service Provider.

The Website does not deploy advertising cookies, behavioral tracking cookies, retargeting pixels, social media cookies, or any third-party cross-site tracking technology. NewVita does not participate in behavioral advertising networks, data management platforms, or any system that tracks individual users across websites for commercial purposes. The only online tracking technologies active on the Website are those described below, each of which is either strictly necessary for the Website’s security and performance or privacy-preserving by design.

Vercel Analytics collects anonymous, aggregated traffic data about usage of the Website for operational analytics purposes. Vercel Analytics does not set cookies, does not collect personal identifiers such as IP addresses in a form linked to individual visitors, and does not track users across sessions or devices. The data collected is statistical in nature and does not constitute Personal Information under Applicable Privacy Law.

Cloudflare, as NewVita’s CDN and security provider, may set one or more functional cookies (including __cflb and cf_clearance) strictly for the purposes of load balancing and bot/DDoS threat detection. These cookies do not contain Personal Information, are not used for advertising or tracking purposes, and expire at the conclusion of a browsing session or within the short functional lifespan required by Cloudflare’s security systems. The use of these cookies is a necessary condition of Website availability and security.

Mapbox address autocomplete functionality makes network requests to Mapbox servers when a Data Subject interacts with property address input fields on the Website. The text of the address input is transmitted to Mapbox in real time for the purpose of generating address suggestions. Mapbox may log these requests pursuant to its own privacy policy, which is available at mapbox.com/legal/privacy. No other Personal Information is transmitted to Mapbox.

Data Subjects may configure their browser settings to refuse, block, or delete cookies. Disabling Cloudflare’s security cookies may impair Website performance, availability, or security features. No functionality of the Website is conditioned upon the acceptance of advertising or tracking cookies.

NewVita complies with Canada’s Anti-Spam Legislation, S.C. 2010, c. 23 (“CASL”). CASL applies to Commercial Electronic Messages sent to electronic addresses— including email addresses and instant messaging accounts — that are accessed on a computer located in Canada at the time the message is received, regardless of whether the recipient is a Canadian resident. NewVita shall not send a CEM to any such electronic address unless: (a) the recipient has provided express consent to receive CEMs from NewVita; or (b) the recipient has provided implied consent within the meaning of CASL by virtue of an existing business relationship, inquiry, or publicly available contact information used in accordance with CASL’s requirements; and (c) each CEM contains NewVita’s identity and contact information and a clear, functional, and cost-free unsubscribe mechanism that is honoured within ten (10) business days of receipt. CASL obligations apply to NewVita regardless of where in the world the sender or the underlying service delivery is located, and NewVita shall not circumvent CASL’s requirements by routing electronic messages through non-Canadian infrastructure.

Notwithstanding the foregoing, the following categories of electronic messages do not constitute CEMs under CASL and may be sent without separate consent: (a) messages sent solely in response to a specific request or inquiry from the Data Subject; (b) transactional messages facilitating, completing, or confirming a commercial transaction to which the Data Subject is a party, including without limitation booking confirmations, service reports, inspection documentation, invoices, and urgent property notifications; and (c) messages that are solely informational in nature and contain no commercial promotion. Data Subjects who have provided express consent to receive CEMs from NewVita may withdraw that consent at any time, without penalty, by following the unsubscribe mechanism in any CEM received or by contacting the Privacy Officer at privacy@newvita.ca.

NewVita’s service agreements are legally binding contracts. In most Canadian provinces and territories, the age of majority required to enter into a binding contract is 18 years (or 19 years in British Columbia, Nova Scotia, and New Brunswick). NewVita shall not knowingly enter into a binding service agreement with, or directly collect Personal Information from, an individual below the applicable age of majority in their jurisdiction without the express involvement and co-signature of a parent, legal guardian, court-appointed trustee, or other individual with lawful authority to contract on the minor’s behalf (each, a “Responsible Adult”). Where a service agreement is co-signed by a Responsible Adult, all consents, authorizations, and representations required under this Policy shall be provided by the Responsible Adult, who assumes full contractual and legal responsibility for the agreement and for ensuring that Personal Information provided concerning the minor is accurate and lawfully disclosed.

NewVita acknowledges that, in certain circumstances — including but not limited to inherited property, estate and probate matters, or trust arrangements — a beneficial interest in real property may be held by or on behalf of a minor under applicable provincial law. NewVita shall provide Services in respect of such property, subject to the involvement of a Responsible Adult as described above. Personal Information relating to a minor in such circumstances shall be Processed only to the extent strictly necessary for the Services authorized by the Responsible Adult, shall be subject to heightened safeguards, and shall not be retained beyond the expiry of the applicable Retention Period.

NewVita further acknowledges that, in the course of providing property access, concierge coordination, and related Services, it may incidentally interact with or receive information about minors (including, by way of example and without limitation, in connection with family estate properties, delivery coordination, and property access for family members). In all such cases, NewVita shall not collect any Personal Information from or about a minor beyond what is strictly necessary to complete the specific authorized task, and shall not retain photographs, documentation, or other records in which a minor appears or is identifiable beyond the operational necessity of the particular visit or engagement.

If NewVita becomes aware that it has inadvertently collected Personal Information from or about a minor without the authorization of a Responsible Adult, NewVita shall take prompt steps to delete or de-identify such information, and shall notify the relevant Responsible Adult. Any individual who believes NewVita has collected such information without appropriate authorization is requested to contact the Privacy Officer immediately at privacy@newvita.ca.

NewVita shall take reasonable steps to ensure that Personal Information Processed in connection with the Services is accurate, complete, and up to date, having regard to the Purposes for which it is used. NewVita shall update or correct Personal Information in its custody or control promptly upon being notified of an inaccuracy by the relevant Data Subject, subject to verification of the Data Subject’s identity and the accuracy of the correction requested.

Data Subjects bear responsibility for ensuring the accuracy and currency of the Personal Information they provide to NewVita. In particular, Clients are responsible for: (a) providing accurate and current property addresses, contact information, and service instructions at the time of engagement and as they change thereafter; (b) promptly notifying NewVita of any material change to Personal Information previously provided, including without limitation changes to property ownership, property access credentials, or authorized personnel; and (c) ensuring that any Personal Information provided about third parties (including Authorized Representatives, contractors, and family members) is accurate and lawfully provided. NewVita expressly disclaims liability for any consequences — including without limitation service errors, unauthorized access, or report inaccuracies — arising from a Data Subject’s failure to provide accurate or current Personal Information or to notify NewVita of changes thereto.

NewVita is committed to the principle of privacy by design: that privacy and data protection are incorporated into the architecture of its Services and Platforms proactively, not reactively, and as a default configuration. In practice, this means that NewVita: (a) collects only such Personal Information as is strictly necessary for the specified Purposes and no more (data minimization); (b) retains Personal Information only for the applicable Retention Period (storage limitation); (c) evaluates the privacy implications of new features, platform changes, and Service additions prior to implementation, and incorporates necessary safeguards before launch; (d) ensures that, by default, no unnecessary Personal Information is disclosed, retained, or made accessible beyond what is required for the Purpose in question; and (e) treats privacy and security as core engineering and operational requirements, not post-hoc compliance obligations.

Where NewVita introduces new Services, Platforms, or Processing activities that involve a material change to the nature or scope of Personal Information collected or the risks associated with Processing, NewVita shall conduct a privacy impact assessment (“PIA”) or data protection impact assessment (“DPIA”) as required by Applicable Privacy Law, and shall document and act upon the findings of such assessment prior to commencing the new Processing activity.

NewVita does not currently engage in automated decision-making, algorithmic profiling, or any Processing that, without meaningful human involvement, produces decisions having legal effects or similarly significant consequences for Data Subjects. All service proposals, pricing determinations, engagement assessments, and recommendation outputs are produced through human review and judgment by NewVita personnel, based on the information provided by the Client and the specific circumstances of the property and engagement. No decision affecting a Data Subject’s legal rights, contractual standing, or access to the Services is made solely by automated means.

In the event that NewVita introduces automated decision-making or profiling capabilities in the future — including but not limited to machine learning-based report generation, algorithmic pricing, or AI-assisted property assessments — NewVita shall: (a) update this Policy to describe the logic, significance, and consequences of such processing prior to implementation; (b) where required by Applicable Privacy Law (including but not limited to GDPR Article 22, PIPL Article 24, and equivalent provisions), obtain the Data Subject’s explicit consent or provide the Data Subject with the right to request human review of automated decisions; and (c) implement appropriate safeguards against discriminatory, inaccurate, or harmful automated outcomes.

The specific rights available to a Data Subject with respect to their Personal Information depend in part upon the Data Subject’s jurisdiction of residence and the Applicable Privacy Law in force in that jurisdiction. The following sets out the rights available under each identified legal framework. Nothing in this Section limits any broader right available under Applicable Privacy Law not specifically enumerated herein. To exercise any right described in this Section, see Section 22.

17.1 — Canadian Residents (PIPEDA & Alberta PIPA)

Under Canada’s Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 (“PIPEDA”) and Alberta’s Personal Information Protection Act, SA 2003, c P-6.5 (“Alberta PIPA”), Data Subjects have the right to:

• Know what Personal Information NewVita holds about them, for what Purposes, and to whom it has been disclosed
• Access their Personal Information and receive a copy thereof, subject to applicable exceptions
• Request correction of inaccurate, incomplete, or outdated Personal Information
• Withdraw consent to the collection, use, or disclosure of Personal Information (subject to legal and contractual limitations, including applicable limitation periods and mandatory retention obligations)
• Request deletion of Personal Information that NewVita is not legally required to retain
• Be informed of the existence, use, and disclosure of their Personal Information upon request
• File a complaint with the Office of the Privacy Commissioner of Canada (OPC) at priv.gc.ca or by telephone at 1-800-282-1376
• File a complaint with the Office of the Information and Privacy Commissioner of Alberta (OIPC) at oipc.ab.ca or by telephone at 780-422-6860

17.2 — EU/EEA Residents (GDPR)

Under Regulation (EU) 2016/679 (“GDPR”), Data Subjects located in the European Economic Area have the following rights:

• Right of access to Personal Data (Article 15)
• Right to rectification of inaccurate or incomplete Personal Data (Article 16)
• Right to erasure (“right to be forgotten”) in specified circumstances (Article 17)
• Right to restriction of Processing in specified circumstances (Article 18)
• Right to data portability in a structured, commonly used, and machine-readable format (Article 20)
• Right to object to Processing based on legitimate interests or for direct marketing purposes (Article 21)
• Right not to be subject to solely automated decision-making producing legal or similarly significant effects (Article 22)
• Right to lodge a complaint with the competent national supervisory authority in the EU/EEA

17.3 — UK Residents (UK GDPR)

Under the UK GDPR and the Data Protection Act 2018, Data Subjects located in the United Kingdom have rights equivalent to those described in Section 17.2 above, applied mutatis mutandis under the UK legal framework. Data Subjects in the UK may also lodge a complaint with the Information Commissioner’s Office (“ICO”) at ico.org.uk.

17.4 — California Residents (CCPA/CPRA)

Under the California Consumer Privacy Act (Cal. Civ. Code §§ 1798.100 et seq.) as amended by the California Privacy Rights Act (collectively, “CCPA/CPRA”), California residents have the right to:

• Know what categories of Personal Information have been collected, used, disclosed, or sold
• Access specific pieces of Personal Information NewVita holds about them
• Request deletion of Personal Information, subject to applicable exceptions
• Request correction of inaccurate Personal Information
• Opt out of the sale or sharing of Personal Information for cross-context behavioral advertising (NewVita does not sell or share Personal Information within the meaning of CCPA/CPRA)
• Limit the use and disclosure of Sensitive Personal Information
• Non-discrimination for the exercise of CCPA/CPRA rights

For greater certainty: NewVita does not sell Personal Information and does not share Personal Information for cross-context behavioral advertising within the meaning of the CCPA/CPRA. Accordingly, there is no opt-out of sale or sharing to which California residents need to subscribe; however, NewVita acknowledges that some California residents may signal their opt-out preference via a recognized opt-out preference signal, including the Global Privacy Control (“GPC”) signal as referenced in 11 C.C.R. § 7025. NewVita currently processes GPC signals received through Website browsers, and where such a signal is detected, treats it as a California resident’s opt-out of sale and sharing of Personal Information, consistent with CPRA requirements. Because NewVita does not engage in such sale or sharing, recognition of the GPC signal has no practical effect on current operations but is honoured as a matter of regulatory compliance.

17.5 — Chinese Residents (PIPL)

Under China’s Personal Information Protection Law (中华人民共和国个人信息保护法, “PIPL”, effective November 1, 2021), Data Subjects located in the People’s Republic of China have the right to:

• Know and decide how their Personal Information is Processed, and to restrict or refuse Processing (Articles 44, 45)
• Access and copy their Personal Information (Article 45)
• Request correction or supplementation of inaccurate or incomplete Personal Information (Article 46)
• Request deletion of Personal Information in specified circumstances, including upon withdrawal of consent (Article 47)
• Withdraw consent where Processing is based on consent, without affecting the lawfulness of prior Processing (Article 15)
• Request an explanation of automated Processing rules where automated decisions are made (Article 24)
• Transfer Personal Information to a designated recipient as specified by the Data Subject (Article 45, subject to technical feasibility)

Statutory Limitations: Data Subjects in China are advised that the rights set out above are subject to the exceptions and limitations provided by PIPL and other applicable Chinese law, including without limitation exemptions for national security, public interest, law enforcement, criminal investigation, and emergency response purposes as provided in PIPL Articles 13 and related provisions. NewVita is a Canadian entity and does not make representations as to the enforceability of rights under PIPL against third parties, governmental bodies, or Chinese-domiciled entities operating independently of NewVita.

17.6 — UAE Residents (PDPL)

Under UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (“UAE PDPL”) and its implementing regulations, Data Subjects located in the UAE have the right to:

• Access their Personal Data and receive a copy
• Request correction of inaccurate or incomplete Personal Data
• Request destruction (deletion) of Personal Data where its retention is no longer necessary for the original Purpose
• Object to Processing where such Processing causes or is likely to cause harm
• Receive Personal Data in a structured, portable format
• Lodge a complaint with the UAE Data Office at dataoffice.ae

17.7 — Indian Residents (DPDPA)

Under India’s Digital Personal Data Protection Act, 2023 (“DPDPA”) and its implementing rules (as and when finalized and in force), Data Subjects located in India have the right to:

• Access a summary of Personal Data Processed and a description of Processing activities
• Correction and erasure of inaccurate or outdated Personal Data
• Nomination of a person to exercise rights on the Data Subject's behalf in specified circumstances
• Grievance redressal through NewVita's internal complaints process and, where unresolved, through the Data Protection Board of India

NewVita will update this Section as India’s DPDPA implementing rules are finalized and take effect.

17.8 — Japanese Residents (APPI)

Under Japan’s Act on the Protection of Personal Information (個人情報の保護に関する法律, “APPI”), as amended effective April 2022, Data Subjects located in Japan have the right to request: disclosure of the content of Retained Personal Information; correction, addition, or deletion of inaccurate Retained Personal Information; suspension of use or erasure of Retained Personal Information Processed in violation of the APPI; and suspension of third-party provision where such provision violates the APPI. Complaints may be directed to the Personal Information Protection Commission (“PPC”) at ppc.go.jp.

17.9 — South Korean Residents (PIPA)

Under South Korea’s Personal Information Protection Act (개인정보 보호법, “PIPA”), Data Subjects located in the Republic of Korea have the right to access, correct, delete, and suspend the Processing of their Personal Information held by NewVita. Complaints may be directed to South Korea’s Personal Information Protection Commission (“PIPC”) at pipc.go.kr.

17.10 — Hong Kong Residents (PDPO)

Under Hong Kong’s Personal Data (Privacy) Ordinance, Cap. 486 (“PDPO”), Data Subjects located in Hong Kong have the right to request access to and correction of Personal Data held by NewVita, subject to applicable exemptions. Complaints may be directed to the Privacy Commissioner for Personal Data (“PCPD”) at pcpd.org.hk.

17.11 — Saudi Arabian Residents (PDPL)

Under Saudi Arabia’s Personal Data Protection Law, Royal Decree No. M/19 (2021), effective September 2023 (“Saudi PDPL”), Data Subjects located in the Kingdom of Saudi Arabia have the right to access, correct, and request destruction of their Personal Data, to withdraw consent, to restrict Processing in specified circumstances, and to request portability of their Personal Data. Complaints may be directed to the Saudi Data & AI Authority (“SDAIA”) at sdaia.gov.sa.

17.12 — Australian Residents (Privacy Act 1988)

Under Australia’s Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), Data Subjects located in Australia have the right to access and request correction of Personal Information held by NewVita, subject to applicable exceptions. Complaints may be directed to the Office of the Australian Information Commissioner (“OAIC”) at oaic.gov.au.

17.13 — Singapore Residents (PDPA)

Under Singapore’s Personal Data Protection Act 2012 (No. 26 of 2012) as amended (“PDPA”), Data Subjects located in Singapore have the right to access and correct Personal Data held by NewVita, to withdraw consent for non-essential Processing, and to data portability in specified circumstances. Complaints may be directed to the Personal Data Protection Commission (“PDPC”) at pdpc.gov.sg.

17.14 — Brazilian Residents (LGPD)

Under Brazil’s Lei Geral de Proteção de Dados Pessoais, Law No. 13,709/2018 (“LGPD”), Data Subjects located in Brazil have the right to access, correct, delete, and request portability of their Personal Data, to obtain information concerning the entities with which their data has been shared, to request anonymization, blocking, or deletion of unnecessary or excessive data, to revoke consent, and to file a complaint with the Autoridade Nacional de Proteção de Dados (“ANPD”) at gov.br/anpd.

17.15 — New Zealand Residents (Privacy Act 2020)

Under New Zealand’s Privacy Act 2020, Data Subjects located in New Zealand have the right to request access to and correction of Personal Information held by NewVita, subject to applicable exceptions. Complaints may be directed to the Office of the Privacy Commissioner at privacy.org.nz.

17.16 — All Other Jurisdictions

NewVita provides the Services to Clients located in any jurisdiction in which it is lawful to do so under applicable Canadian and local law, including without limitation all jurisdictions not specifically enumerated above. For Data Subjects in all such jurisdictions, NewVita is committed to Processing Personal Information in compliance with all Applicable Privacy Law. To the extent that any mandatory privacy right or statutory protection under applicable local law is not specifically addressed in this Policy, such rights and protections are hereby incorporated by reference and shall be enforceable against NewVita to the same extent as if expressly set out herein. Data Subjects in any jurisdiction may submit requests to exercise their rights, including without limitation requests for access, correction, or deletion, to the Privacy Officer at privacy@newvita.ca, and NewVita shall respond in good faith and in accordance with Applicable Privacy Law.

To the maximum extent permitted by Applicable Privacy Law and other applicable law, NewVita’s aggregate liability to any Data Subject arising out of or in connection with this Policy, including but not limited to any claim relating to unauthorized access to, loss of, disclosure of, or Processing of Personal Information, shall not exceed the total fees actually paid by that Data Subject to NewVita in the twelve (12) calendar months immediately preceding the event giving rise to the claim. Where the Data Subject has paid no fees to NewVita (including in the case of a Website visitor who has not engaged the Services), NewVita’s aggregate liability shall be limited to one hundred Canadian dollars (CAD $100.00).

TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW, NEWVITA SHALL NOT BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES ARISING OUT OF OR RELATING TO ANY UNAUTHORIZED ACCESS TO, DISCLOSURE OF, LOSS OF, OR DESTRUCTION OF PERSONAL INFORMATION, INCLUDING WITHOUT LIMITATION DAMAGES ARISING FROM: (A) UNAUTHORIZED THIRD-PARTY ACCESS TO THE SYSTEMS OF ANY SERVICE PROVIDER ENGAGED BY NEWVITA; (B) FORCE MAJEURE EVENTS INCLUDING CYBERATTACKS, NATURAL DISASTERS, OR GOVERNMENTAL ACTIONS BEYOND NEWVITA’S REASONABLE CONTROL; OR (C) A DATA SUBJECT’S FAILURE TO MAINTAIN THE SECURITY OF THEIR OWN CREDENTIALS OR COMMUNICATIONS.

Notwithstanding the foregoing, nothing in this Section shall limit or exclude NewVita’s liability: (a) for direct damages caused by NewVita’s own intentional, wilful, or fraudulent misconduct; (b) for death or personal injury caused by NewVita’s negligence; or (c) to the extent that any applicable law prohibits such limitation or exclusion, including without limitation mandatory consumer protection provisions applicable in certain jurisdictions. The limitations set out in this Section apply to the maximum extent permitted by Applicable Privacy Law in the Data Subject’s jurisdiction of residence, and do not limit any mandatory statutory rights available to Data Subjects under such law.

18.4 — Client Indemnification — Unauthorized Third-Party Personal Information

Each Client agrees to defend, indemnify, and hold harmless NewVita Property Group and its owner, officers, employees, contractors, agents, successors, and assigns (collectively, “NewVita Indemnified Parties”) from and against any and all claims, demands, actions, proceedings, losses, damages, fines, penalties, costs, and expenses — including without limitation reasonable legal fees and disbursements, regulatory investigation costs, and any amounts paid in settlement — arising out of or in connection with: (a) the Client’s provision to NewVita of Personal Information relating to any third party without the requisite legal authority, consent, or lawful basis required under Applicable Privacy Law; (b) any breach by the Client of the representations and warranties set out in Section 4.5; (c) any inaccuracy, incompleteness, or unlawful content in Personal Information submitted by the Client; or (d) any regulatory complaint, investigation, enforcement action, or legal proceeding initiated by or on behalf of a third party whose Personal Information was provided to NewVita by the Client without authorization. This indemnification obligation is in addition to, and not in limitation of, any other remedy available to NewVita at law or in equity.

18.5 — Survival

The provisions of this Section 18 — including the limitations of liability, exclusion of consequential damages, and Client indemnification obligations — shall survive the termination or expiry of any service agreement between the Client and NewVita, the cessation of NewVita’s use of the Website, and any discontinuation or amendment of this Policy, and shall remain in full force and effect for the maximum period permitted by Applicable Privacy Law and the applicable statute of limitations. Without limiting the foregoing, Sections 6.5 (prohibition on sale), 9 (data retention), 14 (accuracy obligations), 18 (limitation of liability and indemnification), 19 (governing law), and 20 (general provisions) shall also survive the termination of any engagement between NewVita and a Client.

This Policy shall be governed by and construed in accordance with the laws of the Province of Alberta and the federal laws of Canada applicable therein, without regard to conflict of law principles that would result in the application of the laws of another jurisdiction. Nothing in this clause limits the rights of Data Subjects under the mandatory provisions of Applicable Privacy Law in their jurisdiction of residence, including without limitation the mandatory rights of EU/EEA and UK residents under the GDPR and UK GDPR, and equivalent rights under other applicable frameworks; such mandatory rights are preserved in full.

In the event of any dispute, claim, or controversy arising out of or relating to this Policy, the collection or use of Personal Information by NewVita, or any alleged breach of a Data Subject’s privacy rights, the parties shall first attempt to resolve the matter through good-faith informal negotiation. A party seeking resolution shall provide written notice to the other party (in the case of a Data Subject, to privacy@newvita.ca) describing the nature of the dispute with reasonable particularity. If the dispute is not resolved within thirty (30) days of delivery of such notice, either party may: (a) file a complaint with the applicable regulatory authority identified in Section 23; or (b) pursue resolution through the courts of competent jurisdiction in the Province of Alberta, Canada, subject to any mandatory jurisdictional provisions under Applicable Privacy Law in the Data Subject’s home jurisdiction.

20.1 — Severability

If any provision of this Policy is found by a court or tribunal of competent jurisdiction to be invalid, illegal, unenforceable, or void in any jurisdiction, that provision shall, to the extent possible, be modified to the minimum extent necessary to render it valid, legal, and enforceable, and the remaining provisions of this Policy shall continue in full force and effect. The invalidity or unenforceability of any provision in one jurisdiction shall not affect the validity or enforceability of that provision in any other jurisdiction.

20.2 — No Waiver

No failure or delay by NewVita in exercising any right or remedy under this Policy, and no partial or single exercise thereof, shall constitute a waiver of that or any other right or remedy. Any waiver of a specific provision of this Policy must be in writing and signed by an authorized representative of NewVita to be effective.

20.3 — Entire Agreement on Privacy

This Policy, together with any specific privacy notices provided at the point of collection of Personal Information and any applicable service agreements between NewVita and a Client that address privacy matters, constitutes the entire agreement between NewVita and Data Subjects with respect to the subject matter hereof. This Policy supersedes all prior privacy policies, privacy notices, and representations of NewVita with respect to the Processing of Personal Information, including without limitation any prior versions of this Policy.

20.4 — Language

This Policy is drafted in the English language. In the event of any inconsistency or conflict between any translation of this Policy and the English version, the English version shall prevail to the fullest extent permitted by Applicable Privacy Law. Notwithstanding the foregoing, NewVita acknowledges that certain jurisdictions, including without limitation the Province of Quebec, may require that contracts and consumer-facing documents be made available in the French language; NewVita shall comply with such requirements as and when applicable.

20.5 — No Assignment

A Data Subject may not assign or transfer any right or obligation arising under this Policy without NewVita’s prior written consent. NewVita may assign this Policy and its rights and obligations hereunder to a successor or acquiring entity in connection with a Business Transfer, subject to the notification requirements of Section 6.4.

20.6 — No Third-Party Beneficiaries

This Policy is made for the benefit of NewVita and Data Subjects only. Nothing in this Policy, express or implied, is intended to confer upon any other person, entity, contractor, third-party service provider, or any other party any legal or equitable rights, benefits, remedies, or claims of any nature whatsoever under or by reason of this Policy. For greater certainty, a Client’s submission of Personal Information about a third party to NewVita does not make that third party a party to this Policy or to any service agreement between the Client and NewVita, and does not create any direct obligation from NewVita to that third party beyond the obligations arising under Applicable Privacy Law.

20.7 — Headings for Convenience

The section headings, subsection headings, and numbered sub-provisions contained in this Policy are inserted for convenience of reference only and shall not affect the meaning, interpretation, or construction of this Policy. In the event of any conflict or ambiguity between a heading and the substantive text of the provision it introduces, the substantive text shall prevail.

20.8 — Records of Processing Activities

As required by Article 30 of the GDPR and equivalent provisions under other Applicable Privacy Law, NewVita maintains internal records of its Processing activities (“Records of Processing Activities” or “ROPA”), which document the categories of Personal Information Processed, the Purposes for which each category is Processed, the categories of recipients to whom Personal Information is disclosed, the applicable retention periods, and the technical and organizational safeguards in place. NewVita’s ROPA is maintained internally and made available to competent supervisory authorities upon request. Data Subjects may request a summary of relevant ROPA entries applicable to their Personal Information by submitting a written request to the Privacy Officer at privacy@newvita.ca.

20.9 — Aggregate and De-Identified Data

NewVita reserves the right to create, use, and disclose aggregate, anonymized, or de-identified data derived from Personal Information collected in connection with the Website and Services. For the avoidance of doubt, such data does not constitute Personal Information within the meaning of this Policy or Applicable Privacy Law once it has been subjected to irreversible anonymization or de-identification techniques that prevent re-identification of any individual. NewVita may use such data for purposes including without limitation service improvement, operational analytics, industry benchmarking, product development, and marketing, provided that no individual Data Subject is identifiable from such aggregate or de-identified data. NewVita shall implement appropriate technical safeguards against re-identification of any such data.

NewVita reserves the right to amend, update, or replace this Policy at any time, in its sole discretion, to reflect changes in its business practices, the Services, the Platforms, Applicable Privacy Law, or regulatory guidance. All amendments are effective as of the Effective Date stated at the top of the amended Policy. NewVita shall classify all amendments as either Material Amendments or Non-Material Amendments, and shall provide notice as described below.

A “Material Amendment” is any change that: (a) expands the categories of Personal Information collected; (b) introduces new Purposes of Processing; (c) changes the identity of the Data Controller; (d) materially affects Data Subject rights or the basis on which Personal Information is transferred internationally; or (e) otherwise significantly alters the terms on which Personal Information is Processed. For Material Amendments, NewVita shall provide at least thirty (30) days’ advance written notice to Data Subjects by email (to the address most recently provided to NewVita) and by prominent notice on the Website prior to the amended Policy taking effect. A Data Subject’s continued use of the Website or the Services after the effective date of a Material Amendment constitutes acceptance of the amended Policy. Data Subjects who do not accept a Material Amendment may contact NewVita prior to the effective date to discuss the impact on their engagement and to exercise any applicable rights.

A “Non-Material Amendment” includes clarifications, typographical corrections, updates to Service Provider links, and other changes that do not materially affect Data Subject rights or NewVita’s Processing activities. Non-Material Amendments shall take effect upon posting of the updated Policy to the Website, without advance notice. Prior versions of this Policy are available upon written request to the Privacy Officer.

Non-Retroactivity:No amendment to this Policy — whether Material or Non-Material — shall operate retroactively to diminish, limit, or extinguish any right that has already been exercised by a Data Subject under a prior version of this Policy, or to expand the scope of Processing that was conducted lawfully in reliance on a prior version. For greater certainty, where a Data Subject submitted a deletion, correction, or access request under a prior version of this Policy, NewVita’s obligation to respond to and honour that request is governed by the version of this Policy in effect at the time the request was received. Amendments that expand the categories of Personal Information collected or that introduce new Purposes of Processing shall apply only to Personal Information collected on or after the effective date of the amended Policy, unless the Data Subject provides fresh, specific consent to the application of the new terms to previously collected Personal Information.

To exercise any right described in this Policy — including without limitation requests for access, correction, deletion, portability, restriction of Processing, objection to Processing, or withdrawal of consent — a Data Subject must submit a written request to the Privacy Officer. NewVita may require reasonable information to verify the identity of the requesting Data Subject before processing the request, in order to protect Personal Information against unauthorized access, disclosure, or modification. NewVita shall not use the verification process as a means to create barriers to the exercise of legitimate rights.

Upon receipt of a verifiable rights request, NewVita shall: (a) acknowledge receipt of the request within five (5) business days; (b) respond substantively within thirty (30) calendar days or within the timeframe required by Applicable Privacy Law in the Data Subject’s jurisdiction, whichever is shorter; and (c) where additional time is required to fulfill a complex or voluminous request, notify the Data Subject in writing prior to the expiry of the initial response period, specifying the reason for the extension and the anticipated response date, which shall not exceed ninety (90) calendar days from receipt of the original request without the Data Subject’s consent.

NewVita shall process routine rights requests without charge. NewVita reserves the right, to the extent permitted by Applicable Privacy Law, to charge a reasonable administrative fee for requests that are manifestly unfounded, excessive, or repetitive, having regard to the nature and volume of the information requested. Where a fee will apply, NewVita shall notify the Data Subject before processing the request and provide the Data Subject with the opportunity to withdraw or narrow the request. Where NewVita declines to act on a request, NewVita shall notify the Data Subject of the reason for the refusal and of the Data Subject’s right to lodge a complaint with the applicable regulatory authority identified in Section 23.

All privacy-related inquiries, data subject rights requests, withdrawal of consent, and formal complaints should be directed to:

If a Data Subject is not satisfied with NewVita’s response to a privacy complaint or request, they have the right to escalate the matter to the applicable regulatory authority for their jurisdiction. The following table identifies the competent regulatory authority for each jurisdiction addressed in this Policy. This table is not exhaustive; Data Subjects in jurisdictions not listed may identify the applicable authority through their national or regional data protection office.