Privacy Policy

1. Data Controller and Processor Roles

1.1 Controller. Llewellyn Systems acts as the Data Controller for personal information collected directly from visitors to our websites, marketing contacts, and prospective customers.

1.2 Processor. When processing Customer Data on behalf of our enterprise customers, Llewellyn Systems acts as a Data Processor (or Service Provider under CCPA). Our customers remain the Data Controller for their end-user data.

1.3 Contact. Data Protection Officer: privacy@llewellynsystems.com | Llewellyn Systems Inc, Attn: Legal Department, [Address on file with regulatory authorities].

2. Information We Collect

2.1 Information You Provide. Account registration data (name, email, organization); billing and payment information; communications with our support team; content uploaded to the Platform (meeting notes, documents, project data).

2.2 Automatically Collected Information. Device identifiers, IP addresses, browser type, operating system; usage data, feature interactions, and performance metrics; cookies and similar tracking technologies (see Cookie Policy).

2.3 Third-Party Sources. Business contact information from partners; publicly available professional information; identity verification services for compliance purposes.

3. Lawful Bases for Processing (GDPR/UK GDPR)

We process personal data under the following lawful bases:

• Contract Performance: Processing necessary to provide the ODE-LOS and fulfill our contractual obligations.
• Legitimate Interests: Product improvement, security, fraud prevention, and business analytics, balanced against data subject rights.
• Legal Compliance: Processing required to comply with applicable laws, regulations, and legal processes.
• Consent: Where required by law, such as for certain marketing communications or optional data processing activities.

4. How We Use Information

• Provide, maintain, and improve the ODE-LOS and services
• Process transactions and send related information
• Send technical notices, updates, security alerts, and support messages
• Respond to comments, questions, and customer service requests
• Communicate about products, services, and events (with consent where required)
• Monitor and analyze trends, usage, and activities
• Detect, investigate, and prevent fraudulent transactions and security incidents
• Comply with legal obligations and enforce our agreements

4A. SMS/Text Message Communications

4A.1 Types of SMS Communications. If you opt in to receive SMS/text messages from Llewellyn Systems, you may receive:

• Transactional Messages: Account alerts, appointment reminders, service notifications, verification codes, and support-related messages
• Marketing Messages: Promotional offers, product updates, and marketing communications (only with separate explicit consent)

4A.2 Message Frequency. Message frequency varies based on your account activity and preferences. Transactional messages are sent as needed based on your use of our services. Marketing messages, if you have opted in, are typically sent no more than 4 times per month.

4A.3 Standard Rates Apply. Standard message and data rates may apply to SMS/text messages sent to or from your mobile device. Please check with your mobile carrier for details about your text messaging plan.

4A.4 Opt-Out Instructions. You may opt out of SMS/text messages at any time by:

• Replying STOP to any message we send
• Contacting us at sms-optout@llewellynsystems.com
• Updating your communication preferences in your account settings

4A.5 Help. For help with SMS messages, reply HELP to any message or contact solstaff@soundoflife.media.

4A.6 Supported Carriers. SMS messaging is supported on most major U.S. carriers including AT&T, Verizon, T-Mobile, Sprint, and others. Carriers are not liable for delayed or undelivered messages.

5. Data Sharing and Disclosure

5.1 Service Providers. We share data with vetted subprocessors who assist in providing our services, subject to contractual data protection obligations. See ourSubprocessor List.

5.2 Legal Requirements. We may disclose information to comply with applicable law, legal process, or governmental request; enforce our agreements; or protect rights, privacy, safety, or property.

5.3 Business Transfers. In connection with any merger, acquisition, or sale of assets, personal information may be transferred, subject to standard confidentiality agreements.

5.4 No Sale of Personal Information. We do not sell personal information as defined under CCPA/CPRA or other applicable privacy laws.

6. International Data Transfers

Personal data may be transferred to and processed in countries outside your jurisdiction. For transfers from the EEA, UK, or Switzerland, we rely on:

• European Commission adequacy decisions
• Standard Contractual Clauses (SCCs) approved by the European Commission
• UK International Data Transfer Agreement (IDTA) or UK Addendum to SCCs
• Binding Corporate Rules where applicable
• Supplementary measures as required by Schrems II guidance

7. Data Subject Rights

Depending on your jurisdiction, you may have the following rights:

• Access: Request a copy of personal data we hold about you
• Rectification: Request correction of inaccurate or incomplete data
• Erasure: Request deletion of personal data ("right to be forgotten")
• Restriction: Request limitation of processing in certain circumstances
• Portability: Receive your data in a structured, machine-readable format
• Objection: Object to processing based on legitimate interests or direct marketing
• Withdraw Consent: Where processing is based on consent
• Non-Discrimination: Exercise rights without discriminatory treatment (CCPA)

To exercise these rights, contact privacy@llewellynsystems.com. We will respond within the timeframes required by applicable law (typically 30 days for GDPR, 45 days for CCPA).

8. Data Retention

We retain personal data only as long as necessary for the purposes described in this Policy, to comply with legal obligations, resolve disputes, and enforce agreements. Customer Data is retained according to customer instructions and our Data Processing Addendum. Upon termination, customers may request data export or deletion within 30 days.

9. Security

We implement industry-standard technical and organizational measures to protect personal data, including: encryption in transit (TLS 1.3) and at rest (AES-256); role-based access control (RBAC); tenant isolation; audit logging with One-Record data lineage; SOC 2 Type II audit in progress; regular security assessments and penetration testing. See our Security page for details.

10. Children's Privacy

The ODE-LOS is not directed to individuals under 16 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child, we will take steps to delete such information.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be notified via email or prominent notice on our website at least 30 days before the effective date. Continued use of the Platform after the effective date constitutes acceptance of the updated Policy.

12. Contact Us