Terms of Service

Effective Date: March 10, 2026

1. Acceptance of Terms

By accessing or using APAS® Cloud (“the Platform”), operated by APAS Ltd. (“we,” “our,” or “us”), you agree to be bound by these Terms of Service. If you do not agree to these terms, you must not use the Platform.

2. Description of Service

APAS® Cloud is a HIPAA-compliant advertising intelligence platform. The Platform provides infrastructure for full-funnel attribution, data activation, and marketing performance optimization across digital channels — including but not limited to website analytics, conversion tracking, form and call capture, appointment scheduling, AI-powered knowledge bases (RAG), offline conversion delivery to advertising platforms, advanced bot detection and click fraud prevention, data warehousing, and privacy compliance management.

The specific features, integrations, and tools available through the Platform may change over time. All features provided through the Platform are subject to these Terms.

3. Compliance Tools Provided by APAS® Cloud

APAS® Cloud provides a comprehensive suite of privacy and compliance tools designed to help clients meet their regulatory obligations. These tools are built into the Platform and available to all clients:

3.1 Consent Management

• Form consent field: All forms created through the Platform include a data consent field by default. This pre-checked opt-out checkbox gives website visitors the choice to decline data sharing with third-party advertising platforms (Google Ads, Meta, Microsoft Ads) before submitting their information. If a visitor unchecks the consent box, no data — not even anonymous conversion events — will be sent to any advertising platform.
• Opt-out / Opt-in modes: The Platform supports both opt-out (default) and opt-in consent models. In opt-out mode, analytics load immediately while respecting the Global Privacy Control (GPC) signal. In opt-in mode, no identifiers are created, no cookies are set, and no analytics data is collected until the visitor explicitly accepts via a consent banner.
• Consent banner: A fully customizable consent banner is provided for clients operating in jurisdictions that require opt-in consent. The banner defers all tracking until the visitor accepts. Their consent choice is recorded in a dedicated audit table for legal compliance.
• Global Privacy Control (GPC): The Platform automatically detects and honors the GPC signal. When a visitor's browser sends a GPC signal, all attribution and analytics data collection is disabled — no identifiers are created, no cookies are set, and no analytics scripts load.

3.2 Privacy Policy and Data Deletion

• Privacy policy snippet: The Platform generates a ready-to-use privacy policy section that accurately describes analytics practices, advertising measurement, consent mechanisms, and visitor rights. This snippet automatically adapts based on whether opt-in or opt-out mode is selected.
• DELETE MY DATA: The Platform generates a one-click data deletion link that clients can embed in their privacy policy. When activated by a visitor, this link immediately removes all identifiers, cookies, and analytics data from the visitor's browser and our systems.

3.3 HIPAA-Compliant Data Architecture

• Color-coded conversion events: Offline conversions sent to advertising platforms use an opaque color-coded system (red, orange, yellow, white, green) that represents general conversion stages. No Protected Health Information (PHI), personally identifiable information, or treatment details are ever shared with advertising platforms. These color codes are universal across all industries and cannot be used to infer any medical condition or personal information.
• Hashed data only: Where personal identifiers are used for advertising platform matching, only irreversible SHA-256 cryptographic hashes are transmitted. Plain-text names, emails, phone numbers, or any directly identifiable information are never sent to any advertising platform.
• Business Associate Agreements (BAAs): The Platform is built exclusively on enterprise-grade infrastructure. All technology partners — including Cloudflare, Google Cloud, Railway, PostHog, Supabase, Windmill, Airbyte, Twilio, and others — have signed BAAs to ensure HIPAA-compliant handling of data.
• US-based data processing: All client data is processed and stored exclusively on HIPAA-compliant servers located in the United States.

3.4 HIPAA Compliance Auditing

APAS® Cloud has partnered with Compliancy Group, the leading HIPAA compliance auditing platform in the United States, to ensure that all systems, processes, and infrastructure adhere to the latest HIPAA regulations. Our compliance posture is continuously audited and updated as regulatory requirements evolve.

3.5 In-Platform Warnings

The Platform provides explicit warnings when clients attempt to remove or disable compliance-related features. These warnings cite specific regulations (including Washington's My Health My Data Act and California's CCPA/CPRA), explain the consequences of removal, and recommend consulting legal counsel. All removal actions are logged for audit purposes.

4. Client Responsibilities

While APAS® Cloud provides the compliance tools described in Section 3, you are solely responsible for ensuring that your use of the Platform complies with all applicable laws and regulations, including but not limited to:

• The Health Insurance Portability and Accountability Act (HIPAA)
• Washington's My Health My Data Act (MHMD Act)
• The California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA)
• The Virginia Consumer Data Protection Act (VCDPA)
• The Colorado Privacy Act (CPA)
• The Connecticut Data Privacy Act (CTDPA)
• Any other applicable federal, state, or international privacy laws

Your responsibilities include, without limitation:

• Deploying the APAS® Init Script on your website as instructed by the Platform
• Keeping the consent field enabled on all forms (the Platform default)
• Publishing the provided privacy policy snippet on your website
• Implementing the DELETE MY DATA link in your privacy policy
• Selecting the appropriate consent mode (opt-out or opt-in) for your jurisdiction
• Following all in-platform recommendations and warnings
• Maintaining your own legal compliance independent of the tools we provide

APAS® Cloud provides the tools — you are responsible for using them. Failure to deploy, configure, or maintain these tools as recommended constitutes non-compliant implementation and is done entirely at your own risk.

5. Limitation of Liability

To the maximum extent permitted by law:

• The Platform is provided “as is” and “as available” without warranties of any kind, whether express or implied.
• APAS Ltd. shall not be liable for any indirect, incidental, special, consequential, or punitive damages, including but not limited to regulatory fines, penalties, or legal fees arising from non-compliant implementations.
• APAS Ltd. is not liable for any compliance issues, data breaches, or regulatory actions resulting from a client's failure to properly deploy, configure, or maintain the compliance tools provided by the Platform, including but not limited to the consent field, consent banner, privacy policy snippet, DELETE MY DATA link, and init script.
• APAS Ltd. is not liable for any compliance issues arising from a client's decision to remove, disable, or override compliance features after being warned by the Platform.
• APAS Ltd. is not liable for any compliance issues arising from a client's failure to heed in-platform recommendations, including but not limited to warnings displayed when removing consent fields or disabling privacy features.

Our total liability for any claim arising from or related to the Platform shall not exceed the fees paid by you to APAS Ltd. in the twelve (12) months preceding the claim.

6. Indemnification

You agree to indemnify, defend, and hold harmless APAS Ltd., its officers, directors, employees, and agents from and against any and all claims, liabilities, damages, losses, costs, and expenses (including reasonable legal fees) arising from or related to your use of the Platform, your violation of these Terms, or your non-compliant implementation of the tools and services provided — including but not limited to failure to deploy consent fields, privacy policy disclosures, data deletion mechanisms, or consent banners as recommended by the Platform.

7. Data Processing

All client data is processed and stored on HIPAA-compliant servers located in the United States. Our data processing practices are described in detail in our Privacy Policy.

Where required by applicable law, APAS Ltd. will enter into a Business Associate Agreement (BAA) with clients who process Protected Health Information (PHI) through the Platform.

8. Modifications to Terms

We reserve the right to modify these Terms of Service at any time. Changes will be posted on this page with an updated effective date. Continued use of the Platform after changes are posted constitutes your acceptance of the revised terms.

9. Governing Law

These Terms shall be governed by and construed in accordance with the laws of the Republic of Cyprus, without regard to its conflict of law provisions. Any disputes arising from these Terms shall be subject to the exclusive jurisdiction of the courts of Cyprus.

10. Contact Us

If you have any questions about these Terms of Service, please contact us:

• Email: [email protected]
• Address: APAS Ltd., Onisiforou Center, 2nd floor, Agios Theodoros, 8011 Paphos, Cyprus