This policy has been updated and is effective as of October 22, 2025.
1. Overview
This Privacy Policy, which is reviewed on an annual basis, outlines how we collect, use, disclose, and protect personal information in compliance with CCPA, GDPR, HIPAA, Ohio, and other privacy regulation frameworks.
2. Purpose
The purpose of this Privacy Policy is to inform our data subjects about our practices regarding the collection, use, and disclosure of personal information.
3. Scope
This Privacy Policy applies to all personal information collected by our business, including information collected through our website, services, and products.
4. Definitions
- Personal Data: Any information that identifies, relates to, describes, or could reasonably be linked to an individual, such as name, contact details, or identification numbers.
- Processing: Any operation performed on personal data, whether automated or not, including collection, use, storage, disclosure, or deletion.
- Data Subject: The individual whose personal data is being collected or processed.
- Breach: A security incident that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.
5. Privacy Program Responsibilities
At MCPC, the Privacy Program ensures compliance with the GDPR, the California Consumer Privacy Act (CCPA), and other frameworks, including those of Ohio. Leadership holds oversight responsibility for staffing, funding, and alignment with MCPC’s commitment to data privacy. Leadership also participates in data governance as part of the Data Controller function.
The Security Lead at MCPC serves as the designated Data Protection Officer (DPO) required under GDPR and acts as the Privacy Contact Point for CCPA matters. The DPO advises leadership on privacy risks, monitors internal practices, and serves as the point of contact for data subjects and regulators. The DPO reports directly to senior management to maintain independence.
The role of Data Controller is collectively fulfilled by Leadership and IT & Security Personnel, who determine the purposes and means of processing personal data and ensure lawful, transparent activities. IT and Security Personnel implement technical and organizational measures to protect data and support the DPO in responding to requests under legal obligations.
6. Policy Statement
At MCPC, we are committed to protecting the privacy and security of your personal data. We do not and will never sell your personal data to third parties. We collect personal data solely to deliver and improve the services we provide to you, limited to legitimate business purposes and contractual obligations. Your data may be shared with trusted partners only to the extent required to deliver services effectively. All third parties are contractually bound to protect your data under applicable laws and our standards.
6.1 Data Retention
Data retention is determined based on business needs, legal requirements, and service nature. We retain personal data only as long as necessary to fulfill these purposes.
6.2 Regulated Industries
MCPC recognizes the importance of data privacy in regulated industries. Although we do not directly process or store regulated data such as patient health information or cardholder data, our services may involve indirect access to systems where such data resides.
6.2.1 Patient Data
MCPC may be classified as a Business Associate under HIPAA (45 CFR §160.103). We do not process or store PHI within our offerings. Personnel are trained to avoid PHI and follow HIPAA Privacy Rule requirements. Administrative, physical, and technical safeguards minimize unauthorized access or disclosure. Any PHI incident is managed per HIPAA’s Breach Notification Rule (45 CFR §§164.400-414).
6.2.2 Card Holder Data
MCPC may operate in environments where PCI DSS-regulated data exists. We do not directly process or store cardholder data but may work on systems supporting payment processing. We adhere to industry controls and training programs to ensure security and segregation from payment data. If MCPC collects cardholder data to process payments through a third party, it is securely transmitted and not retained by MCPC.
7. Privacy Notice
This notice is aimed at data subjects, generally the employees of our customers. It explains how we collect, use, and share personal information under the CCPA, GDPR, and other frameworks. We collect limited information — such as name, contact details, and address — only as necessary to provide and improve services. Information may be collected directly from you, from your employer, automatically through our services, or from trusted third parties. We do not sell your personal data.
Your information may be shared with service providers and partners solely to support service delivery. All third parties are contractually bound to protect your data. We retain data only as long as necessary for business, legal, or regulatory reasons.
You have rights to access, correct, delete, or restrict use of your data, and to object or request portability. To exercise your rights, contact us at [email protected].
We implement technical and organizational safeguards to protect your data. If we make significant changes to this notice, we will notify you through our website or other appropriate means.
8. Consent
MCPC primarily processes personal data on behalf of its customers and does not typically collect data directly from individuals. Accordingly, MCPC relies on the lawful basis and consent obtained by its customers for data processing in accordance with applicable laws including the GDPR and CCPA. By engaging MCPC’s services, customers confirm that all necessary consents or lawful bases have been secured.
9. Breach Notification
9.1 California Residents
In the event of a breach of unencrypted personal data from California residents, MCPC will notify affected individuals per California Civil Code § 1798.82 and contact the Attorney General if more than 500 residents are involved.
9.2 European Residents
In the event of a breach of unencrypted personal data from European residents posing a risk to rights and freedoms, the data controller will notify authorities within 72 hours as described in Articles 33 and 34 of the GDPR, and affected residents without undue delay when required.
9.3 Others
If unencrypted personal data is breached, MCPC will comply with all state notification laws. Operating in Ohio, MCPC will notify residents within 45 days of discovery and consumer reporting agencies for breaches affecting over 1,000 individuals, if applicable.
10. Contact Us
According to this notice, data subjects may have the right to review, amend, or delete their data based on residency and applicable rights. To make a request, contact us at [email protected]. MCPC personnel will verify your identity before responding to any inquiry.