1. Introduction

This Confidentiality Policy outlines the principles and practices that Studio XP (“the Company”) adheres to in order to ensure the confidentiality, security, and privacy of personal information collected, processed, and stored in compliance with the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR).

2. Scope

This policy applies to all employees, contractors, third-party vendors, and anyone who has access to personal information collected and processed by the Company.

3. Definitions

– **Personal Information**: Any information that relates to an identified or identifiable natural person, as defined by CCPA and GDPR.

– **Processing**: Any operation performed on personal information, such as collection, storage, retrieval, use, disclosure, and erasure.

4. Confidentiality and Security Measures

– **Data Minimization**: The Company shall collect and process only the minimum necessary personal information required for legitimate business purposes.

– **Access Controls**: Personal information shall be accessible only to authorized personnel who require it for their job responsibilities.

– **Encryption**: Personal information stored electronically shall be encrypted both in transit and at rest.

– **Physical Security**: Physical access to areas where personal information is stored shall be restricted to authorized personnel.

– **Data Breach Response**: In the event of a data breach, the Company shall follow a pre-defined incident response plan to mitigate and resolve the breach promptly.

– **Employee Training**: All employees shall receive regular training on data protection, confidentiality, and privacy practices.

– **Vendor Compliance**: Third-party vendors processing personal information on behalf of the Company shall adhere to similar confidentiality and security measures.

5. Lawful Basis for Processing

The Company shall only process personal information when there is a lawful basis as defined by GDPR, such as consent, contractual necessity, legal obligation, vital interests, or legitimate interests. For the CCPA, personal information shall be processed in alignment with the specific rights and requirements of the Act.

6. Individual Rights

Individuals whose personal information is processed by the Company shall have the following rights:

– **Right to Access**: Individuals can request access to their personal information held by the Company.

– **Right to Rectification**: Individuals can request corrections to inaccurate or incomplete personal information.

– **Right to Erasure**: Individuals can request the deletion of their personal information under certain circumstances.

– **Right to Object**: Individuals can object to the processing of their personal information based on legitimate interests.

– **Right to Data Portability**: Individuals can request their personal information to be provided in a commonly used machine-readable format.

– **Right to Opt-out (CCPA)**: Individuals have the right to opt-out of the sale of their personal information.

– **Right to Non-Discrimination (CCPA)**: Individuals shall not face discrimination for exercising their privacy rights.

7. Data Retention

Personal information shall be retained only for the period necessary to fulfill the purposes for which it was collected, unless a longer retention period is required by law. After the retention period, personal information shall be securely deleted.

8. Cross-Border Transfers

If personal information is transferred to countries outside the European Economic Area (EEA) or California, appropriate safeguards shall be implemented as required by GDPR and CCPA.

9. Accountability

The Company shall maintain records of data processing activities, including purposes, categories of personal information, and applicable legal bases.

10. Policy Review

This policy shall be reviewed and updated periodically to ensure its relevance and compliance with evolving privacy laws and regulations.

By adhering to this Confidentiality Policy, Studio XP commits to safeguarding the confidentiality, security, and privacy of personal information in accordance with CCPA and GDPR requirements.

**Effective Date:** 30 August 2023 – **Last Updated:** 30 August 2023