Data Protection and Privacy Policy

HERMAN FAMILY GROUP LLC (UKRAINE)
and
HERMAN FAMILY GLOBAL (United States of America)

Effective Date: January 1, 2025
Contact Email: info@anastasiaherman.com
Group Data Controller: Anastasia Herman

1. GENERAL PROVISIONS

This Policy establishes the rules and principles for processing, storing, and protecting personal and medical data within the Herman Family Group, which consists of:

• Herman Family Group LLC (Ukraine)
  Legal address: 151 Zelena Street, Apt. 285, Lviv, Ukraine
  Actual address: 4A Khlibna Street, Office 103, Lviv, Ukraine
• Herman Family Global (United States of America)
  Registered in the United States of America 7901 4th ST N, STE 14845, St.Petersburg, Florida, 33702
• Together referred to as the “Company”, or “Joint Controllers”, acting under the unified management of Anastasiia Yaroslavivna Herman, who serves as the overall Data Controller and authorized representative of both entities.

This Policy complies with:

• Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR);
• Law of Ukraine “On Personal Data Protection”;
• Applicable U.S. privacy laws, including the Health Insurance Portability and Accountability Act (HIPAA) and California Consumer Privacy Act (CCPA/CPRA);
• Relevant ethical and professional standards in reproductive medicine.

2. DEFINITIONS

• Personal Data – any information relating to an identified or identifiable natural person.
• Special Categories of Data – information relating to health, genetic or biometric data, or any other sensitive category.
• Processing – any operation performed on personal data, such as collection, recording, storage, adaptation, transmission, or deletion.
• Controller – the entity that determines the purposes and means of processing personal data.
• Processor – an entity processing data on behalf of the Controller.
• Data Subject – an individual whose personal data is processed by the Company.
• Joint Controllers – Herman Family Group LLC (Ukraine) and Herman Family Global USA, acting jointly to determine the purposes and means of processing.

3. PRINCIPLES OF DATA PROCESSING

The Company adheres to the following principles in all data processing activities:

• Lawfulness, fairness, and transparency;
• Purpose limitation – data are collected for specified and legitimate purposes only;
• Data minimization – only data necessary for the intended purpose are processed;
• Accuracy and updating;
• Storage limitation – data retained only as long as necessary;
• Integrity, confidentiality, and security;
• Accountability – full documentation and proof of compliance.

4. CATEGORIES OF PERSONAL DATA PROCESSED

The Company processes the following categories of data:

• Identification data: name, date of birth, nationality, address, ID/passport details, contact information;
• Medical data: reproductive history, health records, examination results, treatment progress, pregnancy information;
• Financial and contractual data: invoices, payment details, contractual obligations;
• Legal and administrative documents: powers of attorney, consents, marriage certificates, contracts;
• Communication data: correspondence, calls, chat history, photographs, and uploaded files;
• Partner and clinic data: contact details of doctors, coordinators, translators, and medical staff.

5. PURPOSES OF DATA PROCESSING

The Company processes personal and medical data for the following legitimate purposes:

• Preparation, execution, and performance of agreements with patients, donors, surrogate mothers, and clinics;
• Coordination and management of reproductive programs (IVF, surrogacy, egg donation, embryo transfer, etc.);
• Legal and administrative assistance in compliance with medical, family, and contractual obligations;
• Fulfilment of legal obligations under Ukrainian, EU, and U.S. law;
• Internal accounting, quality assurance, and auditing;
• Ensuring medical safety, program transparency, and protection of participants’ rights.

6. LEGAL BASES FOR PROCESSING

The processing of data is carried out on the following legal grounds:

• Consent of the data subject;
• Necessity for the performance of a contract or pre-contractual arrangements;
• Compliance with legal obligations (medical, accounting, migration, or tax);
• Legitimate interests pursued by the Company, provided such interests do not override the rights of the data subject;
• Protection of vital interests of the data subject, especially in medical emergencies.

7. PROCESSING OF SPECIAL CATEGORIES OF DATA

Special categories of data (medical, biometric, or genetic) are processed only:

• Based on explicit written consent of the data subject;
• Within the framework of medical or reproductive programs, where such processing is essential;
• With enhanced technical and organizational protection, including encryption, secure servers, and restricted access;
• Shared exclusively with authorized healthcare institutions or professionals bound by confidentiality.

8. JOINT CONTROLLERSHIP (UA–US DATA COOPERATION)

Herman Family Group LLC (Ukraine) and Herman Family Global USA act as Joint Controllers.
Each entity may collect or process personal data on behalf of the other, under the unified direction and authority of Anastasia Herman, who is the designated contact and legal controller for the entire Group.

All data exchanges between the Ukrainian and U.S. entities are governed by Standard Contractual Clauses (SCCs), mutual Data Processing Agreements (DPAs), and cross-border impact assessments (TIAs) where applicable.

9. DATA RECEIVED FROM CLINICS AND PROGRAM PARTICIPANTS

The Company may receive and process personal and medical data provided by:

• Partner clinics, laboratories, and healthcare institutions,
• Surrogate mothers, egg donors, translators, and coordinators,
  as part of the execution of cooperation agreements and lawful instructions.

Such processing is carried out:

• On behalf of the patient, under the terms of written authorization or power of attorney;
• Within the framework of collaboration agreements between the Company and medical institutions;
• With the right to inform patients about medical results, progress updates, and clinical outcomes, while respecting all confidentiality obligations.

10. DATA SUBJECT RIGHTS

Under GDPR, Ukrainian, and U.S. data protection law, data subjects have the right to:

• Access their personal data and obtain a copy;
• Rectify inaccurate or outdated information;
• Request deletion (“right to be forgotten”);
• Restrict or object to processing;
• Data portability (in a structured electronic format);
• Withdraw consent at any time;
• File a complaint with the competent supervisory authority.

Requests should be submitted to info@anastasiaherman.com.
Responses are provided without undue delay, and in any case within one month.

11. DATA RETENTION AND DOCUMENT RETURN

Personal and medical data are retained:

• For up to 2 years after completion of the program, unless a longer period is required by law;
• Only in the minimum scope necessary for accounting or legal compliance;
• Afterwards, securely deleted or anonymized.

11.1. Return of Original Documents

Upon completion of any reproductive program, the Company returns all original personal documents to their lawful owners (patients or authorized representatives).
This includes marriage certificates, powers of attorney, contracts, medical reports, and ID copies.
Surrogate mothers and donors also return their program-related contracts directly to the patients.
The Company does not retain or archive any original or copied personal documents once programs are finalized, except where retention is legally required for accounting or compliance purposes.

12. SECURITY MEASURES

The Company maintains strict technical and organizational security measures, including:

• Controlled and tiered access to systems;
• Data encryption and secure communication protocols (VPN, SSL/TLS);
• Multi-factor authentication;
• Staff confidentiality agreements (NDA) and training;
• Periodic security audits and supplier compliance reviews.

13. CROSS-BORDER DATA TRANSFERS

Personal data may be transferred between Ukraine, the United States, and the European Union under legally recognized safeguards:

• Standard Contractual Clauses (SCCs) under GDPR;
• HIPAA-compliant Business Associate Agreements (BAAs) for health-related processing;
• CCPA/CPRA requirements for California residents, ensuring transparency and no “sale” of data in CCPA terms.

All transfers ensure equivalent protection and integrity of data, regardless of jurisdiction.

14. INCIDENT RESPONSE AND BREACH NOTIFICATION

In the event of a data breach or security incident:

• The Company immediately investigates and mitigates the breach;
• Notifies the competent supervisory authority within 72 hours, when legally required;
• Informs affected individuals if there is a high risk to their rights or freedoms;
• Keeps a detailed incident record and corrective action log.

15. COMPLAINTS AND SUPERVISION

Data subjects may lodge complaints with:

• Herman Family Group Data Protection Officer (info@anastasiaherman.com);
• The Ukrainian Parliament Commissioner for Human Rights (Ombudsman);
• EU/EEA supervisory authority, where applicable;
• U.S. Department of Health and Human Services (HHS) or relevant state privacy regulators, if applicable under HIPAA/CCPA.

The Company ensures full cooperation and transparency with all supervisory bodies.

16. POLICY UPDATES

This Policy may be amended periodically to reflect legal, organizational, or technological changes.
The latest version is always maintained internally and may be shared with partners or clients upon request.
Significant updates are communicated through official channels (email or website notice).

Contact Information

Herman Family Group LLC (Ukraine)
151 Zelena Street, Apt. 285, Lviv, Ukraine
Actual address: 4A Khlibna Street, Office 103, Lviv, Ukraine

Herman Family Global USA
Registered in the United States of America
7901 4th ST N, STE 14845, St.Petersburg, Florida, 33702

Group Data Controller: Anastasia Herman
Email: info@anastasiaherman.com
Effective Date: January 1, 2025