1 Purpose

 

In its everyday business operations Vomela Holdings, LLC makes use of a variety of data about identifiable individuals, including data about:

 

•         Current, past, and prospective employees
•         Customers
•         Users of its websites
•         Subscribers
•         Other stakeholders

 

In collecting and using this data, the organization is subject to a variety of legislation controlling how such activities may be carried out and the safeguards that must be put in place to protect it.

 

The purpose of this policy is to detail how Vomela handles personal data entrusted to us by our customers in the course of providing services, and the safeguards we implement to responsibly process such data. This policy also identifies the relevant legislation applicable to our operations and to describe the steps Vomela Holdings, LLC. is taking to ensure that it comply with them.

 

2 Scope

 

This Privacy and Personal Data Protection Policy (“Policy”) applies to Vomela Holdings, LLC and all direct and indirect subsidiaries and operating divisions (collectively, “Vomela”).

This includes, but is not limited to:

 

•         SaaS operations
•         Commercial print and fulfilment operations
•         Marketing services and customer engagement platforms

 

This Policy applies to all employees, contractors, temporary personnel, and third parties acting on behalf of Vomela who access, process, or manage personal data.

 

Vomela operates across multiple jurisdictions, including the United States, European Economic Area (including Poland and Germany), the United Kingdom, and Canada. This Policy is designed to meet applicable data protection requirements in all such jurisdictions.

 

3 Privacy and Personal Data Protection Policy

 

3.1 The General Data Protection Regulation and Global Privacy Laws

 

The GDPR and related national laws govern how Vomela collects, uses, retains, and transfers personal data of individuals in the EEA (including Poland and Germany). Vomela also complies with the UK GDPR and Data Protection Act 2018, Canadian privacy laws (PIPEDA/CPPA and applicable provincial laws), and applicable United States federal and state privacy laws (including HIPAA where relevant). Vomela will ensure compliance is demonstrable, documented, and consistently applied across all operations.

 

Key obligations and commitments:

 

1. a) Records of Processing (RoPA): Vomela will maintain and regularly review Records of Processing Activities for all relevant processing.
2. b) Lawful bases: Vomela will document the lawful basis for GDPR/UK GDPR processing and complete Legitimate Interest Assessments where applicable.
3. c) Data subject rights: Vomela will honor data subject rights and meet statutory timelines (e.g., one month under GDPR/UK GDPR, with permitted extensions and local variations).
4. d) DPIAs & privacy by design: Vomela will perform Data Protection Impact Assessments for highrisk processing and apply privacy by design principles.
5. e) Cross border transfers: Vomela will use appropriate safeguards for international transfers (adequacy decisions, SCCs + Transfer Impact Assessments, UK IDTA, or BCRs) and document transfer mechanisms.
6. f) DPO / representatives: Vomela will evaluate and appoint a Data Protection Officer or local representatives where required by law.
7. g) Breach notification: Vomela will follow applicable breach reporting rules (e.g., 72 hour supervisory notification under GDPR) and local breach/notification obligations.
8. h) HIPAA / PHI: Where subsidiaries act as Business Associates or process PHI, Vomela will execute BAAs and apply HIPAA compliant safeguards.

3.2 Definitions

 

There are a total of 26 definitions listed within Article 4 – Definitions of the GDPR and it is not appropriate to reproduce them all here. However, the most fundamental definitions with respect to this policy are as follows:

 

1. a) Consent: Any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which they signify agreement to the processing of their personal data.
2. b) Controller: The natural or legal person, public authority, agency, or other body that determines the purposes and means of the processing of personal data.
3. c) Cross-Border Transfer: The transfer of personal data from one jurisdiction to another, including transfers outside the European Economic Area (EEA), United Kingdom, or Canada.
4. d) Data Controller vs. Data Processor (Vomela Context): For purposes of this Policy, Vomela and its subsidiaries may act as either a Data Controller or Data Processor depending on the nature of the services provided.
5. Vomela acts as a Controller when determining the purposes and means of processing (e.g., employee data, marketing, internal operations).

 

1. Vomela acts as a Processor when processing personal data on behalf of customers, including SaaS, print, mailing, and fulfilment services.
2. e) Data Subject: An identified or identifiable natural person whose personal data is processed by Vomela.
3. f)   Personal Data: Any information relating to an identified or identifiable natural person (“data subject”). An identifiable person is one who can be identified, directly or indirectly, by reference to identifiers such as a name, identification number, location data, online identifier, or factors specific to the individual’s physical, physiological, genetic, mental, economic, cultural, or social identity.
4. g) Personal Data Breach: A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data.
5. h) Personal Information (Canada): Information about an identifiable individual as defined under the Personal Information Protection and Electronic Documents Act (PIPEDA), which broadly aligns with the definition of personal data under GDPR.
6. i)   Processing: Any operation or set of operations performed on personal data, whether by automated means or not, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, alignment, restriction, erasure, or destruction.
7. j) Processor: A natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller.
8. k) Protected Health Information (PHI): Individually identifiable health information that is protected under the Health Insurance Portability and Accountability Act (HIPAA), including demographic data, medical histories, test results, and other health-related information.
9. l) Standard Contractual Clauses (SCCs): Contractual clauses approved by the European Commission that provide appropriate safeguards for the transfer of personal data outside the EEA.
10. m) UK International Data Transfer Addendum: A legally recognized mechanism that supplements SCCs for transfers of personal data from the United Kingdom.

3.3 Roles in Data Processing

3.3.1 Vomela Roles

 

1. a) Data Controller: Vomela acts as a Controller when it determines the purposes and means of processing personal data (for example: employee/HR data, internal corporate systems, marketing for Vomela’s own products and services).
2. b) Data Processor: Vomela acts as a Processor when it processes personal data on behalf of a customer or other Controller (for example: SaaS platform services, print production, mailing, fulfilment operations).

3.3.2 Vomela – Data Processor

 

1. a) process personal data only on the documented instructions of the Controller;
2. b) implement appropriate technical and organizational security measures to protect personal data;

 

1. c) ensure that any subprocessors engaged are subject to written contractual terms at least as protective as this Agreement and shall remain liable for their compliance;
2. d) assist the Controller to respond to data subject requests, data protection impact assessments (DPIAs), and regulatory enquiries as reasonably required;
3. e)     assist the Controller with breach notification obligations and will notify the Controller without undue delay after becoming aware of a personal data breach affecting the Controller’s data;
4. f)   comply with contractual obligations relating to international transfers of personal data, including using appropriate safeguards (e.g., adequacy decisions, Standard Contractual Clauses and, where applicable, the UK International Data Transfer Addendum) and conducting Transfer Impact Assessments when required; and
5. g) make available, on request and subject to confidentiality, information and reasonable cooperation to enable the Controller to demonstrate compliance with applicable data protection law, including allowing audits or inspection rights where contractually agreed.

3.3.3 Vomela – Controller

 

When Vomela acts as a Controller, it will comply with the obligations in this Policy and applicable law(s) for Controllers.

3.4 Principles Relating to Processing of Personal Data

3.4.1 Data Protection Principles

 

Vomela commits to the following data protection principles and will apply them to all personal data processing activities across its operations:

 

1. a) Lawfulness, fairness and transparency: Personal data will be processed only where there is a valid legal basis (e.g., contract performance, legal obligation, legitimate interests, consent, or other lawful basis required by local law). Processing will be fair to the data subject and conducted in a transparent manner: Vomela will provide clear, concise privacy notices explaining what personal data is collected, why it is processed, how it is used, and the rights available to the individual.
2. b) Purpose limitation: Personal data will be collected for specified, explicit and legitimate purposes and will not be further processed in a manner incompatible with those purposes. Any new purpose will be assessed for compatibility and, where required, communicated to data subjects.
3. c) Data minimization: Vomela will limit collection and retention to the minimum personal data necessary to achieve the stated purpose. Data collection forms, processes, and systems will be designed to avoid excessive or unnecessary personal data capture.
4. d) Accuracy: Reasonable steps will be taken to ensure that personal data is accurate and up to date. Where inaccuracies are identified, Vomela will correct or securely dispose of the data without undue delay.
5. e) Storage limitation: Personal data will be retained only for as long as necessary for the original purpose or to satisfy legal, tax or audit obligations. Retention periods will be defined, documented and applied consistently; data that is no longer required will be securely deleted or anonymized.

1. f) Integrity and confidentiality: Appropriate technical and organizational measures will be implemented to protect personal data against unauthorized or unlawful processing and against accidental loss, destruction, or damage. Controls will be proportionate to the sensitivity of the data and the risk to individuals (e.g., encryption, access controls, logging, physical security and secure disposal).

3.4.2  Demonstrating Compliance

 

Vomela is responsible for demonstrating compliance with these principles. To that end Vomela will:

 

1. a) Maintain and review Records of Processing Activities (RoPA) and a central data inventory.
2. b) Perform Data Protection Impact Assessments (DPIAs) where processing is likely to result in high risk to individuals.
3. c) Implement and monitor internal policies, procedures and technical controls to operationalize the principles above (including privacy by design and by default).
4. d) Provide rolebased training and awareness for staff and business partners who handle personal data.
5. e) Conduct regular compliance reviews, audits and risk assessments and retain evidence demonstrating compliance decisions and remedial actions.
6. f) This policy applies equally to all Vomela entities and to any third parties processing personal data on Vomela’s behalf. Where local law imposes additional or stricter requirements (for example under GDPR, UK GDPR, PIPEDA/CPPA, HIPAA or applicable U.S. state breach/consumer privacy rules), Vomela will apply the more protective requirement.

3.5 Rights of the Individual

3.5.1 Data Subject Rights

 

Vomela recognizes and respects the rights of data subjects and will provide mechanisms to enable individuals to exercise their rights under applicable data protection laws. Data subjects have the following rights (subject to any applicable legal exemptions and limitations):

 

1. a) Right to be informed: to receive clear, transparent information about the processing of their personal data (e.g., via privacy notices or at the time of collection).
2. b) Right of access: to obtain confirmation whether their personal data is being processed and, where it is, to receive a copy of the personal data and certain supplementary information.
3. c) Right to rectification: to have inaccurate or incomplete personal data corrected without undue delay.
4. d) Right to erasure (right to be forgotten): to request deletion of personal data where a lawful ground for retention no longer exists, subject to any applicable legal or contractual retention obligations.

 

1. e) Right to restrict processing: to request a temporary restriction on processing where accuracy is contested, processing is unlawful and erasure is opposed, Vomela no longer needs the data for the purpose but the individual requires it for legal claims, or the individual has objected to processing pending verification of legitimate interests.
2. f) Right to data portability: to receive personal data they have provided to Vomela in a structured, commonly used and machine‑readable format, and to transmit that data to another controller where technically feasible.
3. g) Right to object: to object to processing based on legitimate interests or for direct marketing; Vomela will stop processing unless it can demonstrate compelling legitimate grounds or needs the data for legal claims.
4. h) Rights related to automated decision‑making and profiling: to request human intervention, express views and contest decisions where automated decision‑making produces legal or similarly significant effects, subject to limited lawful exceptions.

3.5.2 Handling Requests

 

1. a) Submission: Data subject requests should be submitted using Vomela’s designated privacy request channels [email protected] will verify the requester’s identity before responding if necessary.
2. b) Fees: Vomela will not charge a fee for handling legitimate requests except in limited circumstances permitted by law (e.g., where requests are manifestly unfounded or excessive). If a fee is to be charged or the request is refused, Vomela will provide a clear explanation.
3. c) Refusal and partial compliance: If Vomela refuses a request in whole or in part, it will inform the individual of the reasons for refusal and any available review or complaint mechanisms (including supervisory authorities).
4. d) Recordkeeping: Vomela will log and retain records of data subject requests and responses to demonstrate compliance.

3.5.3 Timelines

 

Timelines and extensions Vomela will respond to data subject requests in accordance with applicable law:

 

1. a) For GDPR/UK GDPR: Vomela will respond without undue delay and in any event within one month of receipt of the request. That period may be extended by a further two months where necessary, taking into account the complexity and number of the requests; Vomela will inform the requester of any extension within one month of receipt and provide reasons for the delay.
2. b) For Canadian federal/provincial law (PIPEDA/CPPA and applicable provincial rules): Vomela will follow applicable timelines under that law and will communicate any specific timelines or extensions in the response.
3. c) For U.S. state privacy laws and HIPAA: Vomela will comply with relevant state timelines or HIPAA requirements where applicable and will advise requesters of any jurisdictional differences.

 

3.5.4 Standard Response Timelines

 

(subject to applicable law and permitted extensions):

 

Right to be informed	At the time of collection or on request; generally within one month.
Right of access	Within one month (plus up to two-month extension if justified).
Right of rectification	Within one month (plus possible extension).
Right to erasure	Without undue delay and in any event within one month (plus possible extension).
Restrict processing	Without undue delay and in any event within one month (plus possible extension).
Data portability	Within one month (plus possible extension) when the request is valid and technically feasible
Right to object	Actioned promptly upon receipt; response within one month (plus possible extension) where applicable.
Automated decision-making/profiling queries	Within one month (plus possible extension) and with explanation of decision logic where required by law

Table 1: Standard response timelines

3.6 Consent

 

Vomela will rely on consent for prcessing only where consent is the appropriate lawful basis under applicable law. Consent, when used, will meet legal requirements and the following standards:

 

1. a) Valid consent requirements: Consent must be freely given, specific, informed, and unambiguous. It must be evidenced by a clear affirmative act (e.g., a checked box, signed statement, or an electronic acceptance) that indicates agreement to the specific processing activity. Pre‑ticked boxes or silence do not constitute valid consent.
2. b) Scope and specificity: Consent must be obtained separately for different processing activities where appropriate (for example: profiling for marketing, sharing data withthird parties, or processing special categories of data). Consent requests will be concise, easy to understand, and clearly distinguishable from other matters.Special categories and sensitive data: For processing special category or sensitive personal data (e.g., health information, racial or ethnic origin, political opinions), Vomela will obtain explicit consent where required by applicable law, or otherwise rely on another valid lawful basis permitted by local law.

1. c) Children and parental/guardian consent: Vomela will obtain parental or guardian consent where required by law for processing the personal data of children. For processing of children’s personal data in the EEA, Vomela will follow the GDPR default rule that parental consent is required for children under the age of 16 unless a Member State’s law sets a lower age (the minimum may be 13–16). For the UK, Vomela will default to age 13 for online services unless otherwise required by law. For Canada and other jurisdictions Vomela will comply with applicable local rules on minors’ consent.
2. d) Alternatives to consent: Where processing is based on another lawful basis (e.g., performance of a contract, legal obligation, legitimate interests), Vomela will document the lawful basis selected and the justification for using it rather than consent. In particular, for direct marketing Vomela will select the lawful basis permitted by local law (consent or legitimate interests) and respect opt‑out preferences.
3. e) Transparency at the time of collection: Where consent is obtained, Vomela will provide transparent information at the time of collection (or, where personal data are not collected directly from the data subject, within a reasonable period and in any event within one month) about: the purposes of processing, the data to be processed, the identity of the controller, recipients or categories of recipients, the right to withdraw consent, retention periods, and any other information required by applicable law. This information will be provided in a clear, accessible form and free of charge (e.g., via privacy notices).
4. f) Withdrawal of consent: Data subjects have the right to withdraw consent at any time. Withdrawal will be as easy as giving consent and will not affect the lawfulness of processing based on consent prior to withdrawal. Vomela will promptly honor withdrawals of consent and will notify the individual of any consequences of withdrawal (for example, if withdrawal means Vomela cannot continue to provide a service).
5. g) Record keeping and accountability: Vomela will record and retain evidence of obtained consent (who consented, what they were told, when and how consent was given, and the processing activity covered). Consent records will be kept in accordance with Vomela’s retention schedules and applicable law.
6. h) Review and refresh of consent: Vomela will periodically review consent records for continued validity where reliance on consent is ongoing, and will refresh consent where processing purposes change materially or where continued consent is required by law.
7. i) Handling of refusal or withdrawal: If an individual refuses or withdraws consent and no other lawful basis for the processing exists, Vomela will cease the relevant processing and will implement any required deletion, restriction or other actions as specified under this policy.

 

Operational notes:

 

1. a) Consent mechanisms, opt‑out links, and privacy notices will be implemented in Vomela systems and customer‑facing interfaces.
2. b) Where Vomela acts as a processor on behalf of a customer, Vomela will follow the controller’s instructions regarding consent and will assist controllers in managing consent where contractually required.

3.7  Privacy by Design

 

Vomela has adopted the principle of privacy by design and will ensure that the definition and planning of all new or significantly changed systems that collect, or process personal data will be subject to due consideration of privacy issues, including the completion of one or more privacy (also known as data protection) impact assessments.

The privacy impact assessment will include:

 

1. a) Consideration of how personal data will be processed and for what purposes
2. b) Assessment of whether the proposed processing of personal data is both necessary and proportionate to the purpose(s)
3. c) Assessment of the risks to individuals in processing the personal data
4. d) What controls are necessary to address the identified risks and demonstrate compliance with legislation

Use of techniques such as data minimization, pseudonymization, and encryption shall be considered and implemented where appropriate and proportionate to the risks associated with the processing activity. Personal Data shall be protected through encryption at rest and in transit where feasible and in accordance with applicable legal, regulatory, contractual, and business requirements.

 

3.8  Transfer of Personal Data

 

Transfers of personal data outside the European Union must be carefully reviewed prior to the transfer taking place to ensure that they fall within the limits imposed by the GDPR. This depends partly on the European Commission’s judgement as to the adequacy of the safeguards for personal data applicable in the receiving country and this may change over time.

 

It may be necessary for specific contractual terms to be used to cover international transfers. Where possible, these should be based upon standard contractual clauses (SCCs) made available by the relevant authority.

 

Intra-group international data transfers may be subject to legally binding agreements referred to as Binding Corporate Rules (BCR) which provide enforceable rights for data subjects.

 

3.9  Data Protection Governance

 

Vomela has established centralized governance over data protection through its Compliance and Information Security functions.

 

While a formal Data Protection Officer (DPO) is not currently required, designated roles are responsible for:

 

1. a) Monitoring compliance
2. b) Managing data protection risks
3. c) Handling data subject requests
4. d) Coordinating breach response

Where required, regional representatives will be designated.

 

3.10  Breach Notification

Vomela treats personal data breaches seriously and will respond promptly to contain, assess, remediate and notify as required by law. This section sets out Vomela’s breach notification principles, roles, timelines and required content. Breach response and notification will be managed in accordance with Vomela’s Information Security Incident Response Procedure and related playbooks.

 

3.11  Data Retention

Vomela will retain personal data only for as long as is necessary to fulfil the specific, documented purposes for which it was collected, to meet legal or contractual obligations, or to support legitimate business needs (including audit and dispute resolution). Retention decisions will follow the principles of data minimization and storage limitation.

Retention schedules are defined in the Records Retention and Protection Policy.

 

3.11.1   Key requirements

 

1. a) Purpose and lawful basis: Each category of personal data will have a stated purpose and lawful basis for processing. Retention periods will be aligned to those purposes and the underlying legal basis (e.g., contract performance, legal obligation, legitimate interests, consent).
2. b) Documented retention schedules: Vomela’s Records Retention and Protection Policy contains the authoritative retention schedules and disposal methods for all categories of records (for example: HR/employee records, customer account data, transactional records, marketing lists, operational logs, PHI). Business units must follow those schedules and consult Legal or Compliance if longer retention is required for litigation, regulatory, or tax reasons.
3. c) Secure disposal and anonymization: When data is no longer required, Vomela will securely delete, destroy, or irreversibly anonymize it in accordance with the Records Retention and Protection Policy. Disposal methods will be proportionate to the sensitivity of the data (e.g., secure wipe of electronic records, shredding of physical records).
4. d) Backups and system copies: Retention schedules apply to primary systems and backups. If data persists in backups, Vomela will ensure that restores are subject to the same retention/deletion obligations and that backup retention periods aredocumented. Exceptions for backups (e.g., technical constraints) will be minimized and documented.

1. e) Cross‑jurisdictional considerations: Retention periods may vary by jurisdiction due to local law (e.g., EU, UK, Canada, U.S. state laws). Vomela will apply the most protective requirement where laws differ and will document jurisdictional variations in the central retention schedule.
2. f) Legal holds and exceptions: Data subject to litigation, regulatory investigation, or a legal hold will be retained until the hold is released. Business units must notify Records Management and Legal immediately if they become aware of any hold.
3. g) Roles and responsibilities: Data owners are responsible for identifying retention periods for data they control and for ensuring deletion or anonymization occurs when periods expire. The Records Management team, together with Legal and Compliance, will maintain the retention schedules, provide guidance, and review retention practices.
4. h) Review and certification: Retention schedules and practices will be reviewed periodically (at least annually) and updated to reflect changes in law, business needs, or risks. Compliance with retention requirements will be monitored through audits and recorded evidence of disposal or anonymization will be retained per the Records Retention and Protection Policy.

3.11.2   Records Retention and Protection Policy

 

The Records Retention and Protection Policy contains the specific retention periods, disposal methods and any jurisdictional exceptions. For questions or requests for retention exceptions, contact Compliance ([email protected]).

 

This retention approach supports Vomela’s obligation to limit storage to what is necessary,

to respect data subject rights, and to demonstrate accountability.

 

3.12  HIPAA (Where Applicable)

 

Where Vomela subsidiaries handle Protected Health Information (PHI) as Business Associates or Covered Entities under HIPAA, they will comply with all applicable HIPAA requirements including entering Business Associate Agreements (BAAs) that define permitted uses, breach reporting, subcontractor obligations, and return/destruction of PHI. Vomela will implement administrative, physical, and technical safeguards—such as risk assessments, workforce training, access controls, encryption, logging, and secure disposal—to protect the confidentiality, integrity, and availability of PHI, and will apply the “minimum necessary” principle to limit access and use.

 

Vomela will promptly notify Covered Entities of any actual or suspected incidents involving PHI and will cooperate with investigations, mitigation, and regulatory reporting as required by the BAA and HIPAA. The company will support Covered Entities in fulfilling individuals’ HIPAA rights where required, maintain documentation of HIPAA compliance (policies, assessments, training, audits), permit audits as provided in contracts, and ensure secure return or destruction of PHI at BAA termination. For questions, BAAs, or incident reporting, stakeholders should contact [email protected].