Privacy Policy

Auctus Group Consulting, LLC  ·  Last updated: May 9, 2026  ·  Effective: May 9, 2026

This Privacy Policy describes how Auctus Group Consulting, LLC ("Auctus," "we," "us," or "our") collects, uses, and shares information when you access our internal dashboards and the Auctus Billing Intelligence tool (collectively, the "Services"). We are committed to protecting your privacy and handling your information responsibly.

1. Information We Collect

We collect the following categories of information:

• Identity and contact information: Your email address, provided when you request access via magic link or OAuth login. Your name and business or practice name, provided optionally when you first access the Billing Intelligence tool.
• Usage data: Pages you visit within our Services, the date and time of your visits, how frequently you visit, the page or link that referred you to our Services, and your session identifier.
• Authentication data: Login and logout events, multi-factor authentication verifications, and IP address associated with authentication events.
• Communications: Any information you voluntarily submit through Q&A threads, comments, or other interactive features within our Services.

We do not collect payment information, Social Security numbers, or patient health information through these Services. We collect only the information necessary for the purposes described in this policy.

2. How We Use Your Information

We use the information we collect for the following purposes:

• Providing access (contract performance / legitimate interest): To authenticate you and grant access to the appropriate areas of our Services based on your role.
• Security and compliance (legitimate interest / legal obligation): To detect unauthorized access, investigate potential security incidents, and maintain audit logs as required for our compliance obligations.
• Product analytics (legitimate interest): To understand how our tools are being used so we can improve them.
• Marketing and outreach (consent): To contact you about Auctus services, resources, or updates that may be relevant to your practice or business, but only if you have consented to marketing communications at the time of registration. You may withdraw consent at any time (see Section 6).
• Operational communications (contract performance): To send you access links, security notifications, and service updates.

The legal bases noted above apply to users in jurisdictions governed by GDPR or similar frameworks. For California residents, processing is governed by the CCPA and CPRA as described in Section 6.

3. How Long We Keep Your Information

• Raw visit records (individual page views with timestamps): retained for 13 months, then permanently deleted.
• Visitor profiles (aggregated: name, business name, pages visited, visit frequency): retained until you request deletion or until 7 years of account inactivity, whichever comes first.
• Authentication logs (login/logout events, IP addresses): retained for a minimum of 3 years for security audit purposes.
• IDR Hub and operational records (Q&A threads, meeting notes, process documentation): retained for a minimum of 6 years in accordance with standard business records retention practices.
• Content approval records: retained indefinitely as an append-only audit trail.

When you request deletion of your personal information, we will delete or anonymize your data within 45 days, subject to our legal retention obligations (such as authentication logs retained for security purposes and business records retained as required by law).

4. Information Sharing and Disclosure

We do not sell your personal information. We share information only in the following circumstances:

• Service providers: We use Supabase (database, authentication, and file storage, hosted in the United States) and Vercel (hosting) as infrastructure providers. These vendors process your data on our behalf under formal data processing agreements.
• Cross-context behavioral advertising (sharing): If you have consented to marketing communications, your email address and associated profile information may be shared with advertising platforms such as Google Ads, Meta (Facebook and Instagram), and LinkedIn for the purpose of delivering relevant advertising. This constitutes "sharing" as defined under the California Privacy Rights Act (CPRA). You may opt out at any time — see Section 6 for the opt-out mechanism. We do not share your data for this purpose without your prior consent.
• Legal requirements: We may disclose information if required to do so by law, court order, or government authority, or when we believe disclosure is necessary to protect our rights or the safety of others.
• Business transfers: If Auctus is acquired or merges with another company, your information may be transferred as part of that transaction. We will notify you of any such transfer and the acquirer will be bound by this policy or provide you with equivalent protections.

We do not share your information with Callagy Recovery Corp. or any other third-party partner for their independent use, without your explicit consent, except as required by law.

5. Cookies and Tracking Technologies

Our Services use browser storage (localStorage and sessionStorage) to maintain your authenticated session. We do not use third-party advertising cookies or tracking pixels on our Services.

For the Billing Intelligence tool, session data persists in localStorage for up to 30 days to reduce login friction on return visits. For internal dashboards (Auctus Ops, IDR Hub, Content Approval), session data is stored in sessionStorage and cleared when you close your browser tab.

The session data stored in your browser is used solely to keep you logged in and is not independently shared with third parties.

6. Your Rights and Choices

Depending on your location, you may have the following rights regarding your personal information:

• Right to know: You may request a summary of the categories and specific pieces of personal information we hold about you.
• Right to delete: You may request deletion of your personal information. We will verify your identity by confirming your request from the email address on file, then delete or anonymize your data within 45 days, subject to legal retention obligations.
• Right to correct: You may request correction of inaccurate information we hold about you. We will respond within 45 days.
• Right to data portability: You may request a copy of your personal information in a machine-readable format. We will respond within 45 days.
• Right to opt out of sharing for advertising: You may opt out of having your information shared with advertising platforms (Google Ads, Meta/Facebook/Instagram, LinkedIn) at any time. Email john@auctusgrp.com with subject line "Do Not Share — [Your Name]". We will process this request within 15 business days and set your opt-out preference in our system. This right applies to California residents under the CPRA and is honored for all users regardless of location.
• Right to opt out of marketing communications: You may unsubscribe from marketing emails at any time using the unsubscribe link in any marketing email, or by emailing john@auctusgrp.com with subject line "Opt Out — [Your Name]". We will process opt-out requests within 15 business days.
• Right to object or restrict processing (GDPR users): You may object to processing based on legitimate interest or request that we restrict processing of your data in certain circumstances. Contact us at the address below.
• Right to non-discrimination: We will not discriminate against you for exercising any of these rights. Exercising your privacy rights will not result in denial of access to our Services, different pricing, or reduced quality of service.

We do not sell personal information and have not done so in the preceding 12 months. California residents under CPRA have the right to opt out of sharing for cross-context behavioral advertising as described above.

7. Data Security

We implement industry-standard technical and organizational measures to protect your information, including:

• TLS encryption for all data in transit
• AES-256 encryption for all data at rest (provided by Supabase)
• Row-level security policies that restrict data access by user role and dashboard scope
• Multi-factor authentication enforced for all internal users
• Session tokens scoped to individual browser sessions for internal dashboards
• Audit logging for all authentication events retained for a minimum of 3 years

No method of transmission over the internet is 100% secure. In the event of a data breach affecting your personal information, we will notify you and the appropriate regulatory authorities within the timeframes required by applicable law. If you have reason to believe your information has been compromised, please contact us immediately at john@auctusgrp.com.

8. Children's Privacy

Our Services are intended for healthcare business professionals and are not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child under 18, we will delete it promptly.

9. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. For material changes, we will provide notice via email to known users at least 30 days before the change takes effect. Continued use of the Services after any changes constitutes your acceptance of the revised policy.

10. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact:

Auctus Group Consulting, LLC
Attn: Privacy Officer
201 West Lake St, Suite 42055
Chicago, IL 60606
Email: john@auctusgrp.com
Website: auctusgroupconsulting.com