Privacy Policy

Effective Date: March 10, 2026

APAS Ltd. (“we,” “our,” or “us”) operates APAS® Cloud, a HIPAA-compliant advertising intelligence platform for full-funnel attribution, data activation, and marketing performance optimization. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website or use our services. By using the Platform, you also agree to our Terms of Service.

1. Legal Grounds for Data Processing

Processing of your personal information (any information which may potentially allow your identification with reasonable means) is necessary for:

• The performance of our contractual obligations towards you and providing you with our services
• Protection of our legitimate interests
• Compliance with legal and financial regulatory obligations to which we are subject

When you use our website, you consent to the collection, storage, use, disclosure, and other uses of your personal information as described in this Privacy Policy. We encourage our users to carefully read this Privacy Policy and use it to make informed decisions.

2. Information We Collect

2.1 Information You Provide

We collect information you voluntarily provide when you:

• Request a demo or consultation
• Subscribe to our newsletter
• Contact us via email or forms
• Create an account or use our services
• Submit a form, schedule an appointment, or interact with a chatbot powered by the Platform

This may include: name, email address, company name, phone number, and any other information you choose to provide.

2.2 Automatically Collected Information

When you visit our website, we automatically collect certain information about your device and browsing actions, including:

• IP address and geolocation data
• Browser type and version
• Device information
• Pages viewed and time spent on pages
• Referral source and click data
• Attribution identifiers (apasid, apasclid)

3. How We Use Your Information

We use the information we collect to:

• Provide, operate, and maintain our services
• Process your requests and communications
• Send you technical notices and updates
• Respond to your comments and questions
• Analyze usage trends and improve our services
• Measure advertising effectiveness through anonymous conversion reporting
• Detect, prevent, and address bot activity, click fraud, and technical issues
• Comply with legal obligations

4. Attribution Tracking

APAS® Cloud uses attribution tracking to understand visitor behavior and conversion touchpoints across digital channels. We:

• Generate unique identifiers (apasid, apasclid) stored in your browser's local storage
• Capture URL parameters including UTM codes and click IDs from advertising platforms
• Track visitor sessions, form submissions, phone calls, and appointment bookings
• Store attribution data for analysis and reporting

This data helps us measure marketing effectiveness and optimize conversion paths. Attribution identifiers remain on your device and are never shared with third parties in a way that could identify you.

5. Tracking & Cookies Data

We use privacy-friendly technology to understand how visitors use our website and improve their experience finding the care they need. We use a single first-party cookie for website analytics — it stays on our domain and never follows users to other websites. We do not use third-party tracking cookies or advertising networks. We also monitor website traffic to detect and block malicious bot activity and unauthorized access attempts, helping keep our infrastructure and your data secure.

Our website analytics do not collect any personal health information, medical conditions, or treatment interests through browsing activity. The only data gathered includes general usage patterns such as where users came from, pages visited, time spent on site, and how they navigate our services. This helps us make our website easier to use and ensures important health resources are easy to find.

User privacy is paramount — we do not sell, share, or transfer any personally identifiable visitor information to third parties, advertising networks, or data brokers. Where anonymous advertising measurement is used, only irreversible cryptographic hashes and anonymous conversion codes are shared — never plain-text names, emails, phone numbers, or any information that could identify you.

6. Global Privacy Control (GPC)

We respect the Global Privacy Control (GPC) signal. If your browser sends a GPC signal, our website will automatically detect it and disable all attribution and analytics data collection. No identifiers will be created, no cookies will be set, and no analytics scripts will load. You can enable GPC in your browser's privacy settings or by using a browser that supports it by default, such as Brave or DuckDuckGo.

7. Advertising Measurement

We measure the effectiveness of our advertising by reporting anonymous conversion events to advertising platforms. When users arrive at our website from an advertisement and later take an action (such as submitting a form, making a call, or booking an appointment), we may notify the advertising platform using a color-coded system (red, orange, yellow, white, green) that represents general conversion stages — never revealing who our users are or what specific care they're seeking. These color codes are universal across all industries and cannot be used to identify any medical condition, treatment type, or personal information. This anonymous reporting uses only a random click identifier, irreversible cryptographic hashes, and a color code. It simply helps us understand which channels are effective at helping people find the services they need, allowing us to focus our resources on the most helpful advertising channels.

8. Your Choice

When you first visit our website, a consent banner will ask whether you accept analytics. If you decline, no identifiers will be created, no cookies will be set, and no analytics data will be collected. If you accept, privacy-friendly analytics will be enabled for your session and future visits. You can withdraw consent at any time by requesting deletion of your data.

Additionally, our forms and scheduling tools include a consent checkbox that allows you to decline data sharing with advertising platforms before submitting your information. If you opt out, no data — not even anonymous conversion events — will be sent to any advertising platform. We encourage you to consent, as it helps others like you find and benefit from the services we offer.

If you would like to request deletion of any data associated with your browsing activity, click this link: DELETE MY DATA to immediately remove all identifiers, cookies, and analytics data from your browser and our systems. Your request will be processed immediately. Alternatively, you can contact us at [email protected].

All our technology partners, including Cloudflare, Google Cloud, Railway, PostHog, Supabase, Windmill, Airbyte, Twilio, and others, have signed Business Associate Agreements (BAAs) to ensure strict security and HIPAA-compliant handling of any data. Users can clear their browsing data anytime through browser settings, giving them complete control over their information.

9. Data Sharing and Disclosure

We may share your information with:

• Service Providers: Enterprise technology partners that perform services on our behalf, all of which have signed BAAs
• Analytics Partners: PostHog for privacy-focused product and web analytics
• Advertising Platforms: Anonymous conversion events only (color codes and cryptographic hashes), subject to visitor consent
• Legal Requirements: When required by law or to protect our rights
• Business Transfers: In connection with a merger, sale, or acquisition

We do not sell your personal information to third parties.

10. Data Security

We implement appropriate technical and organizational security measures to protect your personal information, including:

• Enterprise-grade infrastructure with BAA-covered partners exclusively
• Continuous HIPAA compliance auditing through our partnership with Compliancy Group, the leading HIPAA compliance auditing platform in the United States
• Advanced bot detection and click fraud prevention
• All data processing on HIPAA-compliant US-based servers
• SHA-256 cryptographic hashing for any identifiers shared with advertising platforms

However, no method of transmission over the Internet or electronic storage is 100% secure, and we cannot guarantee absolute security.

11. Data Retention

We retain your personal information for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law. Visitors may request immediate deletion of their data at any time through the DELETE MY DATA mechanism or by contacting us directly.

12. Your Rights

Depending on your location, you may have certain rights regarding your personal information, including:

• Receive confirmation as to whether or not personal information concerning you is being processed, and access your stored personal information
• Receive a copy of personal information you directly volunteer to us in a structured, commonly used, and machine-readable format
• Request rectification of your personal information that is in our control
• Request erasure of your personal information
• Object to the processing of personal information by us
• Request to restrict processing of your personal information by us
• Opt out of data sharing with advertising platforms via consent checkboxes on forms
• Use the Global Privacy Control (GPC) signal to disable all analytics and attribution
• Request immediate data deletion via the DELETE MY DATA mechanism
• Lodge a complaint with a supervisory authority

Please note that these rights are not absolute and may be subject to our own legitimate interests and regulatory requirements.

To exercise these rights, please contact our Data Protection Officer using the details in the Contact section below.

13. International Data Transfers

While our technology is developed in Cyprus, all client data is processed and stored exclusively on HIPAA-compliant servers in the United States. For European Economic Area (EEA) users, we transfer data only to countries approved by the European Commission as providing adequate levels of data protection, or we enter into legal agreements ensuring an adequate level of data protection.

14. Children's Privacy

We understand the importance of protecting children's privacy, especially in an online environment. Our services are not designed for or directed at children. Under no circumstances shall we allow use of our services by minors. We do not knowingly collect personal information from minors. If a parent or guardian becomes aware that their child has provided us with personal information without consent, please contact us immediately.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the “Effective Date” at the top.

16. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your data protection rights, please contact our Data Protection Officer:

• Privacy Officer: Lesley Van De Mortel
• Email: [email protected]
• Phone: +357 943 27221
• Address: APAS Ltd., Onisiforou Center, 2nd floor, Agios Theodoros, 8011 Paphos, Cyprus