Privacy

Our privacy principles

Privacy by design means privacy controls are built into systems from the start, not bolted on later. We minimize data collection to what is necessary for stated purposes, limit retention to what is required by law or business need, and apply purpose limitation so data is not repurposed without consent. We classify data by sensitivity and apply appropriate protections: encryption, tokenization, access controls, and audit logging. These practices reduce privacy risk while enabling legitimate business operations.

Data minimization is central to our approach. We collect only what is necessary for stated purposes and delete data when it is no longer needed. Retention policies are defined, automated, and regularly reviewed. We avoid collecting sensitive personal information unless required, and when we do, we apply strong protections and limit access. This reduces exposure and compliance risk while improving user trust.

Purpose limitation ensures data is used only for stated purposes. When we collect data for one purpose, we do not repurpose it without consent or legal basis. We document data uses clearly and update privacy notices when purposes change. This transparency helps users understand how their data is used and builds trust.

Data protection and security

We protect data in transit and at rest with encryption, strong key management, and access controls. Encryption in transit uses TLS 1.2 or higher for all communications. Encryption at rest applies to databases, file systems, and backups. Key management follows industry best practices: keys are stored separately from data, rotated regularly, and access is logged and audited. These practices protect data from unauthorized access even if systems are compromised.

Access controls enforce least privilege: users and systems get only the access they need for their role. Role-based access control (RBAC) ensures permissions are granted based on job function, not individual requests. Access is reviewed regularly, and unused access is revoked. Audit logs record who accessed what data when, enabling detection and investigation of unauthorized access. These controls reduce insider risk and improve accountability.

We classify data by sensitivity and apply appropriate protections. Personally identifiable information (PII) is identified, cataloged, and protected with reversible and irreversible techniques as appropriate. Sensitive data receives stronger protections: additional encryption, stricter access controls, and more frequent audits. These practices ensure sensitive data receives the protection it deserves.

Data subject rights

We honor data subject rights under GDPR, CCPA, and other applicable frameworks. Individuals can request access to their data, correction of inaccurate data, deletion when no longer needed, and portability of their data. We respond to verified requests within statutory timeframes and provide clear information about data uses and retention. Our processes are documented, automated where possible, and regularly reviewed to ensure compliance.

Access requests are processed securely and verified to prevent unauthorized disclosure. We provide data in machine-readable formats when requested and explain data uses clearly. Correction requests are processed promptly, and systems are updated to reflect accurate information. Deletion requests are honored when data is no longer needed or when required by law, with appropriate exceptions for legal holds or business requirements.

Portability enables individuals to take their data elsewhere. We provide data in common formats and assist with transfers when requested. Our processes are transparent, and we communicate clearly about timelines and requirements. These practices empower individuals and build trust.

Third-party risk management

We assess third-party vendors for privacy and security practices before engaging them. Contracts include data protection clauses, breach notification requirements, and audit rights. We monitor vendor compliance and require remediation when gaps are identified. Sub-processors are disclosed, and we ensure they meet our standards. These practices reduce third-party risk and protect data entrusted to us.

Vendor risk assessments cover data handling practices, security controls, breach history, and compliance certifications. We prefer vendors with strong privacy practices and certifications like SOC 2, ISO 27001, or GDPR-compliant processors. Contracts require vendors to protect data, notify us of breaches, and comply with applicable laws. These practices ensure vendors meet our standards.

Privacy governance

Privacy governance includes policies, training, audits, and incident response. Our privacy policy describes data practices clearly and is updated when practices change. Employees receive privacy training and understand their responsibilities. Regular audits ensure practices match policies and identify gaps. Incident response plans ensure breaches are detected, contained, and reported promptly. These practices ensure privacy is managed systematically.

Privacy by design is integrated into our development lifecycle. Developers receive privacy training and use tools that embed privacy controls. Privacy impact assessments are conducted for new uses of personal data. These practices ensure privacy is considered from the start, not added later.

Our commitments

• Purpose limitation, data minimization, and retention controls: We collect only what is necessary, use it only for stated purposes, and delete it when no longer needed.
• Encryption in transit and at rest; key management best practices: We protect data with strong encryption and manage keys securely.
• Data subject rights processes and verified requests: We honor access, correction, deletion, and portability requests promptly and securely.
• Third-party risk reviews and contractual safeguards: We assess vendors and require them to protect data.
• Privacy governance and training: We manage privacy systematically with policies, training, and audits.

Contact us

For privacy questions or to exercise your rights, please use our contact form. We respond to verified requests within statutory timeframes and provide clear information about our practices.