privacy policy

INTRODUCTION

Thank you for your interest in The Phoenix Group, Inc. ("Company," "we," "us," or "our"). We are committed to protecting your personal information and your right to privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website and use our services.

Company Information:

The Phoenix Group, Inc.
164 S. Park Blvd.
Greenwood, IN 46143

If you have any questions or concerns about this policy or our practices regarding your personal information, please contact us at hrdept@teamphoenix.com.

This Privacy Policy applies to all information collected through our website and any related services, sales, marketing, or events (collectively, the "Services").

Please read this Privacy Policy carefully. By accessing or using our Services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please do not access the Services.

1. WHO WE ARE

The Phoenix Group, Inc. is the data controller responsible for your personal data collected through our Services. As a data controller, we determine the purposes and means of processing your personal data.

Contact Details:

Company Name: The Phoenix Group, Inc.
Address: 164 S. Park Blvd., Greenwood, IN 46143
Email: hrdept@teamphoenix.com
‍Phone: 317-884-3600

2. WHAT INFORMATION DO WE COLLECT?

This section describes all categories of personal information we may collect about you. Please note: Certain categories of personal information are classified as "sensitive" under applicable law and are subject to enhanced protections and additional rights. For information about which categories are considered sensitive and the additional safeguards that apply to them, please see Section 3.

Personal Information You Disclose to Us

We collect personal information that you voluntarily provide to us when you express an interest in obtaining information about us or our products and services, when participating in activities on our website, or otherwise when contacting us.

The personal information we collect may include the following categories:

All personal information that you provide to us must be true, complete, and accurate. You must notify us of any changes to such personal information.

Information Automatically Collected

We automatically collect certain information when you visit, use, or navigate our Services. This information does not reveal your specific identity (like your name or contact information) but may include:

1. Device and Usage Information: IP address, browser and device characteristics, operating system, language preferences, referring URLs, device name, country, location, and information about how and when you use our Services
2. Cookies and Similar Technologies: We collect information through cookies and similar technologies. Please see our Cookie Policy for more details.
3. General Geolocation Information: We may collect general location data such as city, state, or country based on your IP address
4. Precise Geolocation Information: We may request access to track precise location-based information from your device. Because precise geolocation is classified as sensitive personal information, we will obtain your consent before collecting this data. You may disable this in your device settings.
5. Mobile Device Data: Device information such as mobile device ID, model, manufacturer, operating system, and IP address

Information Collected from Other Sources

We may obtain information about you from other sources, such as:

1. Public databases
2. Joint marketing partners
3. Social media platforms (e.g., Facebook, LinkedIn)
4. Third-party data providers

Sources of Personal Information

We collect personal information from the following categories of sources:

1. Directly from you: When you provide it to us through forms, purchases, account registration, or communications
2. Indirectly from you: Through your use of our Services, including via cookies and similar technologies
3. From third parties: Including business partners, marketing partners, social media platforms, and data brokers
4. Publicly available sources: Including public databases and government records

3. SENSITIVE PERSONAL INFORMATION: ENHANCED PROTECTIONS

Certain categories of personal information are classified as "sensitive personal information" under applicable data protection laws. These categories receive heightened protection due to the significant risks they pose if mishandled—including potential discrimination, identity theft, financial harm, physical safety concerns, or other serious adverse consequences.

Sensitive personal information generally includes data that:

1. Reveals protected characteristics: Such as racial or ethnic origin, religious or philosophical beliefs, political opinions, sexual orientation, or citizenship and immigration status‍
2. Uniquely identifies through biology: Including genetic data and biometric information such as fingerprints, facial recognition data, voiceprints, or retinal scans‍
3. Concerns health conditions: Including mental and physical health diagnoses made by healthcare providers‍
4. Pinpoints precise location: Geolocation data accurate within approximately 1,750 feet (one-third of a mile)‍
5. Involves vulnerable individuals: Personal data collected from known children (under 13 years of age)‍
6. Provides access to accounts: Financial account credentials combined with security codes or passwords‍
7. Contains private communications: The contents of personal mail, email, or text messages‍
8. Reveals union membership: Data indicating trade union affiliation‍
9. Includes government identifiers: Social Security numbers, driver's license numbers, passport numbers, or state identification numbers

Because of the potential for discrimination, identity theft, financial harm, physical safety risks, or other significant adverse consequences if this information is mishandled, we apply heightened safeguards to its collection and processing. We will obtain your explicit consent before processing sensitive personal information, except where otherwise permitted by applicable law.

Categories of Sensitive Personal Information

The following table identifies which categories of personal information are classified as sensitive and receive enhanced protection:

Sensitive Personal Information We Collect

We collect the following categories of sensitive personal information:

1. Government-issued identifiers (Category B) – for identity verification purposes
2. Financial account credentials (Category D) – for payment processing and account access
3. Precise geolocation data (Category H) – with your consent, for location-based services

We do NOT collect the following categories of sensitive personal information:

1. Biometric data for identification purposes
2. Genetic data
3. Health information
4. Data revealing racial or ethnic origin, religious beliefs, political opinions, sexual orientation, or union membership
5. Contents of private communications
6. Personal data from known children

Enhanced Protections for Sensitive Personal Information

Because of the heightened risks associated with sensitive personal information, we apply the following additional safeguards:

Your Rights Regarding Sensitive Personal Information

In addition to the general rights described elsewhere in this Privacy Policy, you have the following specific rights regarding sensitive personal information:

1. Right to Consent: We will obtain your explicit consent before processing sensitive personal information.
2. Right to Withdraw Consent: You may withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing conducted before withdrawal.
3. Right to Limit Use: You have the right to limit our use and disclosure of sensitive personal information to uses necessary to perform services or provide goods you request, or as otherwise permitted by law. To exercise this right, email us at hrdept@teamphoenix.com‍
4. Right to Object: You have the right to object to the processing of your sensitive personal information.
5. Right to Appeal: If we decline to act on your request regarding sensitive personal information, you have the right to appeal that decision.
6. Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority if you believe our processing of your sensitive personal information infringes applicable data protection laws.

How We Use Sensitive Personal Information

We use sensitive personal information for the following purposes:

1. To verify your identity when you access your account
2. To process payments and financial transactions you request
3. To provide location-based services you request (with your consent)
4. To comply with legal obligations

We do NOT use sensitive personal information for:

1. Targeted advertising
2. Sale to third parties
3. Profiling for purposes unrelated to the services you request
4. Any purpose incompatible with the purpose for which it was collected

4. LEGAL BASES FOR PROCESSING YOUR PERSONAL DATA

Under applicable data protection laws, we must have a lawful basis for processing your personal data. We rely on the following legal bases:

a) Consent: Where you have given us clear consent to process your personal data for a specific purpose. You have the right to withdraw your consent at any time.

b) Contract Performance: Where processing is necessary for the performance of a contract with you or to take steps at your request before entering into a contract.

c) Legal Obligation: Where processing is necessary for compliance with a legal obligation to which we are subject.

d) Vital Interests: Where processing is necessary to protect someone's life or physical safety.

e) Legitimate Interests: Where processing is necessary for our legitimate interests or those of a third party, provided your interests and fundamental rights do not override those interests.

Our legitimate interests include:

1. Administering and developing our business
2. Marketing and promoting our products and services
3. Providing and improving our Services
4. Network and information security
5. Fraud prevention

5. HOW DO WE USE YOUR INFORMATION?

We use the information we collect or receive for various purposes based on legitimate business interests, the fulfillment of our contract with you, compliance with our legal obligations, and/or your consent.

Business and Commercial Purposes

Data Minimization: We limit our collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to you in this Privacy Policy.

We will not collect additional categories of personal information or use the personal information we collected for materially different, unrelated, or incompatible purposes without providing you notice and, where required, obtaining your consent.

6. WILL YOUR INFORMATION BE SHARED WITH ANYONE?

We only share and disclose your information in the following situations:

a) Compliance with Laws: We may disclose your information where we are legally required to do so in order to comply with applicable law, governmental requests, a judicial proceeding, court order, or legal process, such as in response to a court order or a subpoena (including in response to public authorities to meet national security or law enforcement requirements).

b) Vital Interests and Legal Rights: We may disclose your information where we believe it is necessary to investigate, prevent, or take action regarding potential violations of our policies, suspected fraud, situations involving potential threats to the safety of any person and illegal activities, or as evidence in litigation in which we are involved.

c) Vendors, Consultants, and Third-Party Service Providers: We may share your data with third-party vendors, service providers, contractors, or agents who perform services for us or on our behalf and require access to such information to do that work. Examples include:

1. Payment processing
2. Data analysis
3. Email delivery
4. Hosting services
5. Customer service
6. Marketing efforts

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

Our contracts with service providers and processors include:

1. Clear instructions for processing personal data
2. The nature and purpose of processing
3. The type of data subject to processing
4. The duration of processing
5. The rights and obligations of both parties
6. Requirements for confidentiality
7. Requirements for data return or deletion at the end of services
8. Requirements for compliance demonstration and assessment cooperation
9. Subcontractor requirements
10. Prohibition on selling or sharing the personal information
11. Prohibition on retaining, using, or disclosing the personal information outside the direct business relationship

d) Business Transfers: We may share or transfer your information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company.

e) Third-Party Advertisers: We may use third-party advertising companies to serve ads when you visit our website. These companies may use information about your visits to our website and other websites to provide relevant advertisements.

f) Affiliates: We may share your information with our affiliates, in which case we will require those affiliates to honor this Privacy Policy. For purposes of this policy, "affiliate" means a legal entity that controls, is controlled by, or is under common control with another legal entity, or shares common branding with another legal entity.

g) Business Partners: We may share your information with our business partners to offer you certain products, services, or promotions.

h) With Your Consent: We may disclose your personal information for any other purpose with your explicit consent.

i) Other Users: When you share personal information (e.g., by posting comments or content) in public areas of our website, such information may be viewed by all users and may be publicly distributed.

7. SALE AND SHARING OF PERSONAL INFORMATION

Disclosure of Personal Information for Business Purposes

In the preceding twelve (12) months, we have disclosed the following categories of personal information for a business purpose to the categories of recipients indicated:

Sale or Sharing of Personal Information

"Sale of personal data" means the exchange of personal data for monetary or other valuable consideration to a third party. The term does not include:

1. Disclosure to a processor acting on behalf of the controller
2. Disclosure to a third party for purposes of providing a product or service requested by the consumer
3. Disclosure to an affiliate of the controller
4. Disclosure of information the consumer intentionally made available to the general public
5. Disclosure as part of a merger, acquisition, bankruptcy, or similar transaction

"Sharing" means making available or communicating a consumer's personal information to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration.

We do not sell your personal information as the term "sell" is traditionally understood. However, under the broad definitions of "sale" and "sharing" under applicable law, some of our data disclosures may be considered a "sale" or "sharing." We do not have actual knowledge that we sell or share the personal information of consumers under 16 years of age.

Your Right to Opt Out

You have the right to opt out of the sale or sharing of your personal information. To exercise this right, email us at hrdept@teamphoenix.com. We will process your opt-out request within 15 business days.

Opt-Out Preference Signals

We recognize and respond to Global Privacy Control (GPC) signals and other opt-out preference signals as valid requests to opt out of the sale or sharing of personal information. If we detect such a signal, we will treat it as a valid opt-out request for the browser or device from which we receive the signal.

8. DO WE USE COOKIES AND OTHER TRACKING TECHNOLOGIES?

We may use cookies and similar tracking technologies (like web beacons and pixels) to access or store information.

1. Strictly Necessary Cookies: Essential for the website to function
2. Performance Cookies: Help us understand how visitors interact with our website
3. Functional Cookies: Enable enhanced functionality and personalization
4. Targeting Cookies: Used to deliver relevant advertisements

Your choices: Most web browsers are set to accept cookies by default. You can usually choose to set your browser to remove or reject cookies. Please note that removing or rejecting cookies may affect certain features or services of our website.

Do Not Track Signals: Some browsers include a "Do Not Track" (DNT) feature that signals to websites you visit that you do not want your online activity tracked. We respond to DNT signals. We also respond to Global Privacy Control (GPC) signals.

For more information, please see our Cookie Policy.

9. INTERNATIONAL DATA TRANSFERS

Your information may be transferred to, stored, and processed in countries other than your own, including the United States, where data protection laws may differ from those in your jurisdiction.

Transfers Outside Your Country of Residence

When we transfer personal data internationally, we ensure appropriate safeguards are in place, including:

1. Adequacy Determinations: Transfers to countries that have been determined to provide an adequate level of data protection
2. Standard Contractual Clauses: Using approved standard contractual clauses
3. Binding Corporate Rules: For transfers within our corporate group
4. Consent: Where you have explicitly consented to the proposed transfer after being informed of the possible risks

Please contact us if you want further information on the specific mechanisms used by us when transferring your personal data internationally.

10. HOW LONG DO WE KEEP YOUR INFORMATION?

We will only retain your personal information for as long as reasonably necessary to fulfill the purposes for which it was collected, including to satisfy any legal, accounting, or reporting requirements.

Retention criteria include:

1. The duration of our relationship with you
2. Any legal obligations to retain data
3. The statute of limitations for potential legal claims
4. Guidelines issued by relevant data protection authorities

General retention period: We will not retain your personal information for longer than two (2) years after our last interaction with you, unless a longer retention period is required or permitted by law.

Retention periods by category of information:

When we have no ongoing legitimate business need to process your personal information, we will either:

• Delete or anonymize it, or
• If deletion is not immediately possible (e.g., due to backup archives), securely store and isolate it from any further processing until deletion is possible.

11. HOW DO WE KEEP YOUR INFORMATION SAFE?

We have implemented appropriate technical and organizational security measures designed to protect your personal data, including:

• Encryption: Using encryption technologies (e.g., SSL/TLS) for data transmission
• Access Controls: Limiting access to personal data to authorized personnel only
• Pseudonymization: Where appropriate, pseudonymizing personal data
• Security Assessments: Regularly testing and evaluating the effectiveness of our security measures
• Incident Response: Maintaining procedures to address any suspected data breach

We establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. These data security practices are appropriate to the volume and nature of the personal data at issue.

However, no electronic transmission over the Internet or information storage technology can be guaranteed to be 100% secure. While we strive to protect your personal information, transmission of personal data to and from our Services is at your own risk. You should only access the Services within a secure environment.

12. YOUR DATA PROTECTION RIGHTS

Depending on your location and applicable law, you may have the following rights regarding your personal data:

a) Right to Confirm and Access (Right to Know):

You have the right to confirm whether we are processing your personal data and to access such personal data. You may also request information about how we collect, use, disclose, and sell your personal information, including:

1. The categories of personal information we collected about you
2. The categories of sources from which the personal information is collected
3. The business or commercial purpose for collecting, selling, or sharing personal information
4. The categories of third parties to whom we disclose personal information
5. The specific pieces of personal information we have collected about you

b) Right to Rectification (Right to Correct)

You have the right to request that we correct any information you believe is inaccurate or complete information you believe is incomplete, taking into account the nature of the personal data and the purposes of processing.

c) Right to Erasure (Right to Delete)

You have the right to request that we delete personal data provided by or obtained about you, subject to certain exceptions provided by law.

d) Right to Restriction of Processing

You have the right to request that we restrict the processing of your personal data, under certain conditions.

e) Right to Data Portability

You have the right to obtain either:

• A copy of your personal data that you previously provided to us; or
• A representative summary of such personal data.

The information will be provided in a portable and, to the extent technically practicable, readily usable format that allows you to transmit the data to another controller without hindrance. We have discretion to provide either a copy or a representative summary, taking into account the nature of the personal data and the purposes of processing. We are not required to provide a copy or representative summary more than once in a 12-month period.

f) Right to Object

You have the right to object to our processing of your personal data, under certain conditions.

g) Right to Withdraw Consent

Where we rely on consent as the legal basis for processing, you have the right to withdraw your consent at any time. This will not affect the lawfulness of processing conducted before withdrawal.

h) Right to Opt Out of Sale/Sharing/Targeted Advertising/Profiling

You have the right to opt out of:

1. The sale of your personal information
2. The sharing of your personal information for cross-context behavioral advertising
3. Targeted advertising
4. Profiling in furtherance of decisions that produce legal or similarly significant effects concerning you

i) Right to Limit Use of Sensitive Personal Information

You have the right to limit our use and disclosure of your sensitive personal information to uses necessary to perform services or provide goods you request, or as otherwise permitted by law. To exercise this right, email us at hrdept@teamphoenix.com.

j) Right Not to be Subject to Automated Decision-Making

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, except where:

1. It is necessary for entering into or performing a contract
2. It is authorized by applicable law
3. You have given explicit consent

Where we use automated decision-making:

1. We will inform you of the existence of such processing and provide meaningful information about the logic involved
2. You have the right to request human intervention
3. You have the right to express your point of view
4. You have the right to contest the decision

k) Right to Non-Discrimination

You have the right not to receive discriminatory treatment for exercising your privacy rights. We will not:

1. Deny you goods or services
2. Charge you different prices or rates for goods or services
3. Provide you a different level or quality of goods or services
4. Suggest that you will receive a different price or rate or different level or quality of goods or services
5. Retaliate against you for exercising your rights

However, we may offer different prices, rates, levels, quality, or selection of goods or services if:

1. You have exercised your right to opt out; or
2. The offer is related to your voluntary participation in a bona fide loyalty, rewards, premium features, discount, or club card program.

l) Right to Appeal

If we decline to take action on your request, you have the right to appeal that decision. We will respond to your appeal in writing within 60 days of receipt. If we deny your appeal, we will provide you with an online mechanism or other method through which you may submit a complaint to the appropriate regulatory authority.

m) Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority if you believe our processing of your personal data infringes applicable data protection laws.

To exercise any of these rights, please contact us using the contact details provided below.

13. HOW TO SUBMIT A REQUEST TO EXERCISE YOUR RIGHTS

Methods for Submitting Requests

You may submit a request to exercise your privacy rights through the following methods:

We will not require you to create a new account to exercise your rights, but we may require you to use an existing account.

Authorized Agents

You may designate an authorized agent to make a request on your behalf. To do so:

1. Provide the authorized agent with written permission signed by you
2. Verify your own identity directly with us
3. Directly confirm with us that you provided the authorized agent permission to submit the request

Alternatively, your authorized agent may provide a power of attorney pursuant to applicable law.

We may deny a request from an authorized agent who does not submit proof of authorization.

Verification Process

When you submit a request, we will take steps to verify your identity before processing your request. We will authenticate your request using commercially reasonable efforts. If we are unable to authenticate your request, we may request additional information reasonably necessary to authenticate you and your request.

The verification steps may vary depending on the type of request:

1. Requests to Know or Delete: We will verify your identity to a reasonable degree of certainty or reasonably high degree of certainty depending on the sensitivity of the information, which may require matching at least two or three data points you provide with information we maintain.
2. Requests to Opt Out: We will not require verification unless we have reason to believe the request is fraudulent.

If we cannot verify your identity, we may deny your request.

Response Timing

We will respond to your request without undue delay, but in any case within 45 days of receipt. This period may be extended once by an additional 45 days when reasonably necessary, taking into account the complexity and number of your requests. We will inform you of any extension within the initial 45-day period, along with the reason for the extension.

If we decline to take action on your request, we will inform you within 45 days of the justification for declining and provide instructions for how to appeal.

Fees

Information provided in response to your request will be provided free of charge, up to one time annually. If your requests are manifestly unfounded, excessive, or repetitive, we may charge a reasonable fee to cover administrative costs or decline to act on the request. We bear the burden of demonstrating that requests are manifestly unfounded, excessive, or repetitive.

Contract Provisions

Any provision of a contract or agreement that purports to waive or limit your consumer rights under applicable data privacy law is contrary to public policy and is void and unenforceable.

14. DO WE COLLECT INFORMATION FROM MINORS?

We do not knowingly collect or solicit personal data from children.

Age Thresholds and Requirements

1. ‍Children under 13: We will not knowingly process personal data from a known child (under 13 years of age) without processing such data in accordance with applicable child privacy protection laws. Personal data collected from a known child is considered "sensitive data" and requires parental consent before processing.
2. ‍Children 13-15: We will not sell or share the personal information of consumers we actually know are between 13 and 15 years of age, unless the consumer affirmatively authorizes ("opts in" to) the sale or sharing.
3. ‍Children under 16: For information society services offered directly to a child under 16 years of age, we require consent or authorization from the holder of parental responsibility over the child.

A business that willfully disregards a consumer's age shall be deemed to have had actual knowledge of the consumer's age.

A controller or processor that complies with applicable child privacy protection laws, including the Children's Online Privacy Protection Act (COPPA), satisfies any obligation to obtain parental consent under this Privacy Policy.

General Policy

By using our website, you represent that you are at least 18 years of age, or that you are the parent or guardian of a minor and consent to such minor dependent's use of the website.

If we learn that we have collected personal data from a child without verification of parental consent where required, we will take reasonable measures to promptly delete such data from our records.

If you believe we might have any information from or about a child, please contact us immediately at the contact details below.

15. DATA PROTECTION OFFICER

We have appointed a Data Protection Officer (DPO) to oversee compliance with this Privacy Policy and applicable data protection laws.

Data Protection Officer Contact Details:

Name: Kim Kovacs

‍Email: hrdept@teamphoenix.com

‍Address: The Phoenix Group, Inc., 164 S. Park Blvd., Greenwood, IN 46143

You may contact the DPO with any questions or concerns about our data protection practices or this Privacy Policy.

16. DATA BREACH NOTIFICATION

In the event of a personal data breach, we will take the following actions:

Notification to Supervisory Authorities

We will notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons.

Notification to Affected Individuals

Where a personal data breach is likely to result in a high risk to your rights and freedoms, we will communicate the breach to you without undue delay. This communication will:

1. Describe the nature of the breach in clear and plain language
2. Provide the name and contact details of our Data Protection Officer or other contact point
3. Describe the likely consequences of the breach
4. Describe the measures taken or proposed to address the breach, including measures to mitigate possible adverse effects

Exception: Communication to you may not be required if:

1. We have implemented appropriate technical and organizational protection measures (e.g., encryption) that render the data unintelligible to unauthorized persons
2. We have taken subsequent measures that ensure the high risk is no longer likely to materialize
3. It would involve disproportionate effort (in which case, we will make a public communication instead)

Processor Obligations

‍Our processors are required to notify us without undue delay after becoming aware of a personal data breach and assist us in meeting our breach notification obligations, taking into account the nature of processing and the information available to the processor.

Your Rights in Case of Breach

‍If your nonencrypted and nonredacted personal information is subject to unauthorized access and exfiltration, theft, or disclosure as a result of our failure to implement and maintain reasonable security procedures and practices, you may be entitled to seek statutory damages and other remedies as provided by applicable law.

17. AUTOMATED DECISION-MAKING AND PROFILING

In the event of a personal data breach, we will take the following actions:

What is Profiling?

"Profiling" means any form of solely automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable individual's economic situation, health or health records, personal preferences, interests, reliability, behavior, location, or movements.

What are "Decisions That Produce Legal or Similarly Significant Effects"?

Such decisions include those resulting in the provision or denial of:

1. Financial and lending services
2. Housing
3. Insurance
4. Education enrollment
5. Criminal justice
6. Employment opportunities
7. Health care services
8. Access to basic necessities, such as food and water

Our Use of Automated Decision-Making

We do not currently use automated decision-making that produces legal or similarly significant effects.

Your Rights Regarding Automated Decision-Making

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, except where:

1. It is necessary for entering into or performing a contract
2. It is authorized by applicable law
3. You have given explicit consent

Where we use automated decision-making:

1. We will inform you of the existence of such processing and provide meaningful information about the logic involved
2. You have the right to request human intervention
3. You have the right to express your point of view
4. You have the right to contest the decision

Your Right to Opt Out

You have the right to opt out of profiling in furtherance of decisions that produce legal or similarly significant effects concerning you. To exercise this right, please contact us using the methods described in Section 13.

We will implement suitable safeguards to protect your rights, freedoms, and legitimate interests.

18. DATA PROTECTION IMPACT ASSESSMENTS

We conduct and document data protection impact assessments for the following processing activities involving personal data:

1. Processing for targeted advertising
2. Sale of personal data‍
3. Processing for profiling where such profiling presents a reasonably foreseeable risk of:
   
   • Unfair or deceptive treatment of, or unlawful disparate impact on, consumers
   • Financial, physical, or reputational injury to consumers
   • Physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, if such intrusion would be offensive to a reasonable person
   • Other substantial injury to consumers‍
4. Processing of sensitive data
5. Any processing activities involving personal data that present a heightened risk of harm to consumers‍
6. Systematic and extensive evaluation of personal aspects relating to natural persons based on automated processing, including profiling, and on which decisions are based that produce legal effects
7. Processing on a large scale of special categories of data‍
8. Systematic monitoring of a publicly accessible area on a large scale

Assessment Process

These assessments identify and weigh the benefits that may flow from the processing against the potential risks to consumer rights, as mitigated by safeguards we employ. The assessments consider:

1. The use of de-identified data
2. The reasonable expectations of consumers
3. The context of processing
4. Our relationship with consumers

A single data protection impact assessment may address a comparable set of processing operations that include similar activities.

Confidentiality

Data protection impact assessments are confidential and exempt from public disclosure. We will make assessments available to regulatory authorities upon request pursuant to a lawful investigative demand.

19. FINANCIAL INCENTIVES

Notice of Financial Incentives

We may offer financial incentives, including payments to consumers as compensation, for the collection, sale, sharing, or retention of personal information.

Current Financial Incentive Programs:

We do not currently offer any financial incentive programs.

How We Calculate Value:

We have calculated the value of the consumer data in our financial incentive programs by [explain the methodology, which may consider the expense related to the collection, storage, and retention of personal information; the revenue generated by the sale of such data; the value to the business of the consumer's continued use of the services; etc.].

Right to Withdraw:

You may withdraw from any financial incentive program at any time by [describe withdrawal method]. Your withdrawal will not affect any transactions or benefits previously provided.

Non-Discrimination:

We will not discriminate against you for not participating in a financial incentive program.

We may offer different prices, rates, levels, quality, or selection of goods or services to you, including offering goods or services for no fee, if:

1. You have exercised your right to opt out; or
2. The offer is related to your voluntary participation in a bona fide loyalty, rewards, premium features, discount, or club card program.

20. DO WE MAKE UPDATES TO THIS POLICY?

We may update this Privacy Policy from time to time. The updated version will be indicated by an updated "Last Updated" date at the top of this Privacy Policy.

If we make material changes to this Privacy Policy, we may notify you either by:

1. Prominently posting a notice of such changes on our website
2. Directly sending you a notification

We encourage you to review this Privacy Policy frequently to be informed of how we are protecting your information.

21. HOW CAN YOU CONTACT US ABOUT THIS POLICY?

By Email: hrdept@teamphoenix.com

By Telephone: 317-884-3600

By Mail:
The Phoenix Group, Inc.
Attn: Privacy Inquiries
164 S. Park Blvd.
Greenwood, IN 46143
United States

Data Protection Officer:

Kim Kovacs
hrdept@teamphoenix.com

22. HOW CAN YOU REVIEW, UPDATE, OR DELETE YOUR DATA?

Based on the applicable laws of your country or state of residence, you may have the right to:

• Confirm whether we are processing your personal data
• Request access to your personal data (or a representative summary)
• Request correction of your personal data
• Request deletion of your personal data
• Request transfer of your personal data
• Opt out of the sale or sharing of your personal data
• Opt out of targeted advertising
• Opt out of profiling in furtherance of decisions that produce legal or similarly significant effects
• Limit the use of your sensitive personal information

To make a request:

Response Timeframes:

We will respond to your request within 45 days of receipt. This period may be extended by an additional 45 days when reasonably necessary. Appeals will receive a response within 60 days.

‍Verification: To protect your privacy and security, we may need to verify your identity before fulfilling your request.

APPENDIX: SUMMARY OF YOUR DATA PROTECTION RIGHTS

This Privacy Policy was last updated on February 9, 2026.