Privacy Policy

Effective Date: July 07, 2025

CX Assist

Website: cx-assist.com

1. INTRODUCTION

CX Assist ("CX Assist", "we", "us", or "our"), a product of Balance VA Limited, respects your privacy and is committed to complying with its obligations under applicable data protection laws, including the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), the California Consumer Privacy Act (CCPA), Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), and the Australian Privacy Act 1988.

This Privacy Policy explains how we collect, use, share, and safeguard limited personal data collected through our website and outlines the nature of services we provide on behalf of our clinic clients across these regions.

CX Assist is a trading name of Balance VA; this Policy also applies to CX Assist's global operations in the UK, EU, USA, Canada, and Australia, including AI-assisted call handling, appointment booking, AWS-hosted patient data, 24/7 telecom services, and international data transfer arrangements.

As a virtual assistant (VA) service provider to clinics, we primarily act as a data processor, not a data controller, for any patient or service user information we may access. This Policy applies exclusively to personal data collected via our own website and business operations, and also to patient contact and appointment data downloaded and stored on AWS per clinic instructions, for which CX Assist acts as a data controller. Patient data accessed through third-party clinical or insurance platforms remains under the control of those respective clinics.

2. SCOPE OF POLICY

This Privacy Policy applies to:

  • Visitors and users of our website CX Assist;
  • Individuals who contact us via web forms, email, or telephone;
  • Prospective clients or job applicants who interact with us.
  • Patients whose contact details and appointment data are downloaded by CX Assist's platform onto AWS servers, or processed through AI or telecom systems across jurisdictions.

It does not apply to any patient data input into clinical, practice management, or insurance systems that belong to our healthcare clients (as long as they are not downloaded to AWS or handled by our telecom infrastructure). For such data, CX Assist operates solely under the instruction of the clinic as their data processor.

Please also review our [Cookie Policy] for further details on how we use cookies and similar technologies.

3. WHAT IS PERSONAL DATA?

"Personal Data" refers to any data relating to a living individual who can be identified directly from that data or indirectly in conjunction with other information. Under applicable privacy laws including the UK GDPR, EU GDPR, CCPA, PIPEDA, and the Australian Privacy Act, Personal Data may include, but is not limited to:

  • Full names, postal or email addresses, and telephone numbers;
  • IP addresses, browser identifiers, or location data;
  • Employment or professional details;
  • Financial or transaction data;
  • Any information that, alone or combined with other data, could lead to the identification of a specific individual.

CX Assist does not collect or retain patient personal data in the course of providing virtual assistant services to clinics and healthcare professionals unless downloaded to AWS or processed through AI call handlers. When our agents or AI handle communications, they do so by securely logging into software systems provided and controlled by the clinics themselves. When clinics opt into CX Assist's AWS-hosted platform, or when telecom-based AI agents are used, patient contact and appointment data are either stored or processed via our systems; CX Assist acts as data controller for this data. All such data remains encrypted and protected under clinician instructions.

4. HOW IS YOUR PERSONAL DATA COLLECTED?

While CX Assist does not collect or retain any patient data unless clinics activate CX Assist's integrated platform, we may collect limited personal data from individuals who engage with us directly such as clients, website visitors, applicants, or business contacts. The types of personal data we collect may include:

  • Identity Data, such as your name, job title, or role within your organisation.
  • Contact Data, including your business email address, phone number, and correspondence address.
  • Technical Data, such as your IP address, browser type, geographical location, and usage patterns when visiting our website.
  • Communications Data, including messages submitted via our website forms or email, such as general enquiries, feedback, or requests for information.
  • Recruitment Data, such as CVs, cover letters, and other information provided when applying for a position with us.
  • Patient Data, including names, phone numbers, email addresses, and appointment details, when clinics enable CX Assist's AWS-hosted or telecom-integrated platform.

5. LEGAL BASIS FOR PROCESSING

Under various data protection regimes, we rely on the following lawful bases:

  • Consent – where you have provided clear and informed consent, such as when you opt in to receive marketing communications.
  • Contractual necessity – where processing is necessary to enter into or perform a contract with you, for instance when managing a service agreement or evaluating a job application.
  • Legitimate interests – where processing is necessary for our legitimate business purposes, such as internal administration, responding to enquiries, recruitment, or improving our website and services, provided your rights and freedoms are not infringed.
  • Legal obligation – where processing is necessary to comply with applicable legal or regulatory requirements.

Explicit consent or performance of contract (under GDPR, CCPA, PIPEDA, or Australian law) for patient data handled by CX Assist's platform.

We do not use your personal data for any incompatible or unlawful purposes.

6. USE OF YOUR PERSONAL DATA

We use your personal data solely for legitimate, clearly defined purposes necessary for the smooth functioning of our services and effective management of our relationship with you. This includes responding to your enquiries, providing information about our services, and offering customer support. If you apply for a job with us, we use your data to manage the recruitment process, including reviewing CVs and arranging interviews. When you register for an account or sign up for our services, your information is used to create and manage your customer profile, deliver services, and administer your account securely.

For CX Assist users, personal data is also used to enable AI (and human) agents to answer calls and schedule appointments. Patient contact data and appointment details are securely stored on in-region AWS servers. Telecom infrastructure supports inbound and outbound communications. Billing and pricing functions may rely on patient contact history. Refunds are issued by clinics only when services have not been rendered, in line with our pricing terms.

We also process data to improve the performance, functionality, and security of our website and platform. Usage data helps us understand how users interact with our content, enhancing the user experience and tailoring services to customer needs. With your explicit consent, we may send marketing materials, updates, or personalised recommendations based on your interests or interactions with us. You may also be invited to participate in surveys or feedback activities, which support our market research and service improvements.

We do not use your data for profiling, automated decision-making, or targeted advertising without your clear and informed consent. All data processing is carried out in accordance with applicable data protection laws, and we are committed to handling your information with transparency, purpose, and care.

7. DATA SHARING AND DISCLOSURE

We treat your personal information with care and discretion. We only share personal data where necessary and with trusted third parties who are subject to appropriate data protection obligations. These may include:

  • IT service providers, such as those supporting our website and email infrastructure;
  • Law enforcement authorities or regulatory bodies, if we are legally required to do so;
  • Legal, financial, or insurance professionals, for compliance, audit, or advisory purposes;
  • Website analytics providers, for improving user experience and traffic monitoring;
  • Clinic partners, where your interaction specifically relates to a referral, booking, or communication you have initiated;
  • Recruitment and HR service providers, in connection with the hiring process.

International data may be processed by our teams or infrastructure in the US, UK, EU, Canada, or Australia only where appropriate legal safeguards are in place. We do not sell, rent, or trade your personal data with any third parties for marketing or commercial purposes.

8. INTERNATIONAL DATA TRANSFERS

In certain cases, your personal data may be transferred to and processed in other countries. This can occur when we use service providers or platforms with infrastructure located abroad. For instance, data may be processed on AWS servers deployed by region, including the UK, EU, USA, Canada, and Australia. We take active steps to minimise cross-border transfers by keeping patient data within the region in which it was collected whenever possible.

Where international transfers are necessary, we implement appropriate safeguards to ensure your data remains protected. These include:

  • Confirming the destination country has been granted an adequacy decision by the UK government;
  • Using Standard Contractual Clauses (SCCs) approved by the Information Commissioner's Office (ICO);
  • Relying on Binding Corporate Rules adopted by multinational service providers.
  • Entering into data transfer agreements compliant with applicable laws such as the CCPA (USA), PIPEDA (Canada), and the Australian Privacy Principles.

We take all reasonable steps to ensure that your privacy rights remain protected when your data is processed internationally.

9. DATA SECURITY

We take the security of your personal data seriously and implement a robust combination of technical and organisational measures to protect it against accidental loss, misuse, or unauthorised access. These measures include the use of SSL/TLS encryption to secure data transmitted through our website, role-based access controls to ensure that only authorised personnel can access sensitive information, and secure login protocols when interfacing with third-party platforms or clinic systems.

We apply robust access controls, encryption, firewalls, password hygiene, and system monitoring. Telecom and AI systems are tested for resilience. AWS configurations are hardened to meet HIPAA, GDPR, and other compliance needs.

Additionally, we regularly conduct internal reviews and security assessments to evaluate and strengthen our data protection practices. While we are committed to maintaining high standards of security, it is important to note that no method of online transmission or electronic storage is entirely foolproof. Therefore, although we do our best to safeguard your information, we cannot guarantee absolute security, and any data you share with us is at your own risk.

10. DATA RETENTION

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or to meet legal, regulatory, or contractual requirements. Typical retention periods include:

  • General enquiries and contact forms – retained for up to 12 months from the date of last contact;
  • Job applications and CVs – retained for up to 12 months unless the applicant is hired, in which case data may be stored in accordance with employment law and HR best practices;
  • Business and contractual records – retained for 6 to 7 years to comply with financial and tax regulations.

11. YOUR PRIVACY RIGHTS

Depending on your region, you may have rights to:

  • Access your data;
  • Correct or erase your data;
  • Restrict or object to processing;
  • Data portability;
  • Withdraw consent;
  • File complaints with supervisory authorities.

Patients may request data deletion or opt-out from AI communication. We respond to verified rights requests within legal timeframes (e.g., 1 month under UK/EU law, 45 days under CCPA).

12. CHANGE OF PURPOSE

We will only use your personal data for the purposes for which it was collected, unless we reasonably consider that we need to use it for another purpose that is compatible with the original one. If we need to use your data for a new, unrelated purpose, we will notify you in advance and explain the legal basis that allows us to do so.

If we rely on your consent as the legal ground for processing and wish to change the purpose, we will seek your explicit consent before proceeding. You have the right to withdraw your consent at any time.

13. COOKIES

Our website uses cookies and similar technologies to provide a better user experience, gather anonymous analytics data, and improve the functionality of our online services. Cookies are small text files placed on your device when you visit our website. They help us understand how visitors interact with our content, monitor technical performance, and make improvements.

You can manage or disable cookies through your browser settings. For full details on how we use cookies and how you can control them, please refer to our [Cookie Policy].

14. THIRD-PARTY LINKS

Our website may contain links to third-party websites or resources that are not operated by CX Assist. These external sites have their own privacy policies and terms of use, which we do not control. We encourage you to read their policies before submitting any personal data. CX Assist accepts no responsibility or liability for how third-party websites handle your information.

15. CHILDREN'S POLICY

Our services are not directed to individuals under the age of 13 (or the relevant age of digital consent in your jurisdiction, such as 16 in certain EU member states), and we do not knowingly collect personal information from children without verifiable parental consent. If you are a parent or guardian and you believe that your child has provided us with personal data, please contact us immediately. We will take steps to delete such information from our records promptly.

If we become aware that we have inadvertently collected personal information from a child without appropriate consent, we will take immediate action to remove the information and ensure compliance with applicable data protection laws.

16. CONTACT US

If you have any questions about how we handle your personal data, or if you want to exercise any of your rights, please contact us at:

Email: legal@cx-assist.com

Address: Balance VA Limited trading as CX Assist ,1906 E1 Devils Tower Road Gibraltar ,GX11 1AA

17. CHANGES TO THIS POLICY

We reserve the right to change this Privacy Policy from time to time at our sole discretion. If we make any changes, we will post those changes here. However, if we make material changes to this Policy, we will notify you by means of a prominent notice on the website prior to the change becoming effective.