2.1 Introduction and Scope

This Privacy Policy explains how OperationWorks collects, uses, discloses, safeguards, and retains information when users visit the OperationWorks website or use the Services. This Privacy Policy applies to information OperationWorks controls for its own business operations and to personal information processed in connection with the Services, subject to the client agreements described below.

2.2 Controller, Processor, and Business Associate Roles

OperationWorks may act in different roles depending on the context:

• Controller: OperationWorks acts as a controller for direct business operations, account onboarding, billing, invoicing, sales administration, support administration, and managing relationships with corporate customers.

• Processor or Service Provider: For client deployments, OperationWorks processes Customer Data only on behalf of and under the instructions of the corporate client, as described in the applicable DPA or similar written agreement.

• Business Associate: For covered care facility deployments involving Protected Health Information (“PHI”), OperationWorks acts as a Business Associate only where a BAA has been executed. The applicable BAA governs PHI processing.

2.3 Information We Collect

OperationWorks may collect the following categories of information:

• Account and contact information, such as name, corporate email address, phone number, job title, company name, billing contact details, and administrative user information.

• Authentication information, such as login identifiers, single sign-on identifiers, authentication tokens, and identity-provider information used to verify identity and maintain secure access.

• Usage, device, and log information, such as IP address, browser type, operating system, device identifiers, access times, pages viewed, feature usage, audit logs, and platform activity logs.

• Customer Data and operational data, such as inspections, assigned tasks, due items, compliance checks, work orders, operational parameters, resident, patient, constituent, or facility-related records entered by authorized users into a client deployment.

• SMS/text messaging information, such as mobile phone number, opt-in status, opt-out status, consent records, message delivery records, HELP or STOP requests, and related messaging logs.

• Support and communications information, such as emails, support requests, feedback, troubleshooting details, and records of interactions with OperationWorks.

2.4 How We Use Information

OperationWorks uses information for the following purposes:

• To create accounts, authenticate users, administer access controls, and provide the Services.

• To support operational workflows, inspections, compliance checks, due items, work assignments, task notifications, escalations, and automated alerts.

• To process billing, invoicing, contracts, account administration, and customer relationship management.

• To monitor, secure, troubleshoot, debug, improve, and optimize the Services.

• To provide customer support, respond to inquiries, and communicate service-related updates.

• To comply with applicable laws, contractual obligations, DPAs, BAAs, subpoenas, court orders, legal processes, and regulatory obligations.

• To protect the rights, property, security, and integrity of OperationWorks, clients, users, and the Services.

2.5 Legal Bases for Processing

Where legal bases are required by applicable law, OperationWorks relies on one or more of the following legal bases: performance of a contract, legitimate interests in providing and securing the Services, compliance with legal obligations, consent where required, and instructions from the applicable client when OperationWorks acts as a processor, service provider, or Business Associate.

2.6 Google API Services and Google User Data

OperationWorks may allow users to authenticate with Google and may use Google API Services to provide user-facing functionality authorized by the user or the user’s organization. OperationWorks’ use and transfer of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

OperationWorks uses Google user data only to provide and improve the user-facing features disclosed to users and authorized by the applicable client or user. OperationWorks does not sell Google user data, use Google user data for advertising, transfer Google user data to advertising platforms, data brokers, or information resellers, or use Google user data for any purpose not disclosed in this Privacy Policy and the applicable consent or authorization flow.

2.7 SMS/Voice Data and Mobile Information No-Sharing Rule

OperationWorks uses mobile phone numbers solely to deliver automated, non-marketing operational notifications generated by the Services, including compliance checks, escalations, assigned tasks, due items, work assignments, inspection alerts, and related operational updates.

No mobile information will be shared with third parties or affiliates for marketing or promotional purposes. All categories of data described in this Privacy Policy exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties. OperationWorks may share mobile phone numbers, consent records, and related delivery data with direct technical service providers, such as Twilio, solely as required to transmit and administer the operational SMS/text messaging program.

2.8 How We Share Information

OperationWorks does not sell, rent, or trade personal information. We may share information only as described below:

• With authorized subprocessors and technical service providers that support hosting, databases, authentication, productivity integrations, messaging delivery, storage, monitoring, security, support, and related Service operations.

• With the applicable corporate client, facility, municipality, employer, or enterprise customer that controls or administers the deployment in which the data is processed.

• With professional advisors, auditors, insurers, legal counsel, and similar parties under appropriate confidentiality obligations.

• When required by law, legal process, court order, subpoena, regulator, or government request.

• In connection with a merger, acquisition, financing, restructuring, or sale of business assets, subject to appropriate confidentiality and data protection safeguards.

2.9 Subprocessors

OperationWorks uses vetted service providers and subprocessors to deliver the Services. Authorized subprocessors may include cloud hosting and managed database infrastructure providers, Google Cloud Services, Microsoft Azure or Office 365 services, Twilio Inc., Dropbox Inc., monitoring and security providers, and other vendors necessary to provide, secure, and support the Services. Subprocessors are permitted to process information only as necessary to provide contracted services to OperationWorks and are subject to appropriate confidentiality, security, and data protection obligations.

2.10 International Transfers

OperationWorks is based in the United States and may process information in the United States and other jurisdictions where OperationWorks or its service providers operate. Where required, OperationWorks uses appropriate safeguards for cross-border transfers, such as Standard Contractual Clauses or other lawful transfer mechanisms.

2.11 Data Retention

OperationWorks retains personal information only for as long as necessary to provide the Services, maintain accounts, comply with legal obligations, resolve disputes, enforce agreements, maintain security, and support legitimate business purposes. Customer Data processed under a DPA, BAA, or client agreement is retained, returned, or deleted according to the applicable client instructions and contractual retention terms.

2.12 Security and HIPAA-Related Safeguards

OperationWorks maintains administrative, technical, and organizational safeguards designed to protect information against unauthorized access, loss, misuse, alteration, and disclosure. Safeguards may include encryption in transit and at rest, role-based access controls, multi-factor authentication, logging and monitoring, access reviews, security training, and vendor management.

For care facility deployments involving PHI, OperationWorks implements safeguards designed to support HIPAA compliance where a BAA applies. PHI processing is governed by the applicable BAA and client instructions.

2.13 Individual Rights and Requests

Depending on your location, you may have rights to access, correct, delete, restrict, object to, or receive a copy of certain personal information. To submit a request relating to information OperationWorks controls, contact us using the information below. If your request relates to Customer Data processed for a corporate client, care facility, municipality, or employer, please submit your request directly to that entity, because OperationWorks processes that data on its behalf.

2.14 Breach Notification

If OperationWorks becomes aware of a security incident involving personal information, Customer Data, or PHI, OperationWorks will investigate and provide notifications to affected clients, users, individuals, and regulators as required by applicable law and by applicable DPA or BAA obligations.

2.15 Changes to this Privacy Policy

OperationWorks may update this Privacy Policy from time to time. We will update the effective date when changes are made. For material changes, OperationWorks will provide notice through the website, within the Services, by email, or by another reasonable method.

2.16 Contact Information

OperationWorks Privacy Team

Website: https://www.operationworks.com

Email: info@operationworks.com

Phone: 800-299-2521

Mailing Address: 6 Liberty Square, Unit 510 Boston, MA 02109

‍