Resume & CV Services:

• Name, contact information (email, phone, address, LinkedIn profile)
• Work history (employers, job titles, dates, responsibilities, achievements)
• Education (degrees, institutions, dates, GPA if provided)
• Certifications, licenses, professional memberships
• Skills, languages, volunteer experience
• References (if provided)
• Career objectives and target roles

Business Letter Services:

• Sender and recipient details
• Business context and purpose of correspondence
• Supporting documents (contracts, agreements, prior correspondence)

Policy & Handbook Services:

• Organization name, size, industry, location
• Existing policies (for review or revision)
• Regulatory requirements specific to your jurisdiction
• Organizational structure and operational details
• Contact person details (decision-makers, compliance officers)

Payment Information:

• Name, billing address
• Payment method (credit card, bank transfer details)
• Transaction history for accounting and tax purposes

Note: Payment processing is handled by third-party processors (Stripe, PayPal). We do not store full credit card numbers on our servers.

Website Usage Data:

• IP address (for security and analytics)
• Browser type and version
• Device information (desktop, mobile, tablet)
• Pages visited, time spent on site
• Referral source (how you found us)

Cookies & Tracking Technologies:

We use minimal, essential cookies:

• Strictly Necessary Cookies: Session management, security (cannot be disabled)
• Analytics Cookies: Google Analytics (anonymized IP) to understand site usage and improve user experience

You Control Cookies: You can disable non-essential cookies via browser settings. This won't affect core site functionality.

• No social media tracking pixels (e.g., Facebook Pixel, LinkedIn Insight Tag)
• No third-party advertising cookies
• No behavioral profiling for marketing
• No sale of data to data brokers

• Create Your Documents: Using the information you provide to draft resumes, letters, policies, and handbooks tailored to your needs
• Client Communication: Sending drafts, revisions, invoices, and project updates
• Quality Assurance: Internal review for accuracy, grammar, and compliance
• Customer Support: Responding to inquiries, troubleshooting, and providing assistance

• Payment Processing: Sharing billing information with payment processors (Stripe, PayPal) under their privacy policies
• Legal Compliance: Maintaining records for tax, accounting, and regulatory requirements (e.g., IRS recordkeeping, anti-money laundering laws)
• Business Operations: Anonymized analytics to improve services (e.g., "40% of clients request executive resume formatting")

We Will NEVER:

• Sell your data to third parties
• Use your information for unrelated marketing
• Share your documents with other clients or use them as templates

• Encryption:
  • TLS 1.2+ encryption for data in transit (HTTPS)
  • AES-256 encryption for data at rest (stored files)
• Access Controls:
  • Role-based access (only authorized personnel can view client files)
  • Multi-factor authentication (MFA) for all team accounts
  • Unique login credentials (no shared accounts)
• Secure Infrastructure:
  • Cloud storage via Google Workspace (SOC 2, ISO 27001 certified)
  • Regular security patches and updates
  • Firewall protection and intrusion detection systems
• Data Backup & Recovery:
  • Daily encrypted backups stored in geographically separate locations
  • Disaster recovery plan tested quarterly

• Confidentiality Agreements: All team members sign NDAs and data protection agreements
• Background Checks: Conducted for all personnel with access to client data
• Training: Annual data security and privacy training for staff
• Access Logs: We monitor who accesses client files and when
• Clean Desk Policy: Physical documents secured when not in use; no unattended printouts

• Secure Office: Locked facility with keycard access
• Device Security: Encrypted laptops and mobile devices; remote wipe capability if lost/stolen
• No Public Wi-Fi: Work on client files only on secure networks

Payment Processors:

• Stripe: Credit card processing (PCI-DSS compliant)
• PayPal: Alternative payment method

What They See: Billing name, address, payment details. What They Don't See: Resume content, policy drafts, or other project details.

Cloud Storage & Productivity:

• Google Workspace: Secure file storage, email, document collaboration
  • Data Processing Agreement: Yes (GDPR-compliant)
  • Certifications: ISO 27001, SOC 2, SOC 3

Website Hosting & Analytics:

• Squarespace: Website hosting (GDPR-compliant, encrypted)
• Google Analytics: Anonymized traffic data (IP anonymization enabled)

We do not share your information with:

• Marketing or advertising companies
• Data brokers or aggregators
• Social media platforms for profiling
• Unrelated third parties

Exception: Legal obligations (e.g., valid subpoena, court order) or to prevent imminent harm (e.g., credible threat of violence). We will notify you if legally permitted.

Active Projects:

• Duration of project + standard revision period (30-45 days)

Completed Projects:

• Resume/CV files: 6 months after final delivery (to accommodate minor updates)
• Business letters: 3 months after final delivery
• Policies & Handbooks: 1 year after final delivery (many clients return for annual updates)
• Payment records: 7 years (IRS requirement for business records)

Inactive Clients:

• Files deleted after retention period expires unless you've opted into extended storage (e.g., annual policy review service)

When retention periods end or upon your deletion request:

1. Primary Storage: Files permanently deleted from active systems
2. Backups: Removed during next backup cycle (within 90 days)
3. Physical Copies: Shredded via cross-cut shredder or professional shredding service
4. Email: Purged from sent/received folders and trash

Exception: De-identified data for statistical analysis (e.g., "average resume word count") may be retained indefinitely, as it cannot be linked back to you.

What You Can Do: Request a copy of all personal data we hold about you.

How: Email privacy@policybridgeadvisors.com with "Data Access Request" in the subject line.

Response Time: 15-30 business days (we'll acknowledge receipt within 5 days).

Format: PDF or your preferred machine-readable format (e.g., CSV for structured data).

What You Can Do: Correct inaccurate or incomplete personal data.

How: Contact us with the specific information to update.

Examples: Updating contact info, correcting work history dates, fixing typos in your documents.

What You Can Do: Request deletion of your personal data.

Exceptions (we may need to retain data):

• Legal/tax obligations (e.g., IRS records retention)
• Ongoing disputes or litigation
• Defending against legal claims

Process: Email privacy@policybridgeadvisors.com. We'll confirm deletion within 30 days.

What You Can Do: Receive your data in a structured, machine-readable format for transfer to another service provider.

Format: Word (.docx), PDF, CSV, JSON (your choice).

What You Can Do: Limit how we use your data (e.g., storage only, no further processing).

When Applicable:

• You're disputing data accuracy
• Processing is unlawful but you don't want deletion
• You need the data for legal claims

What You Can Do: Object to processing based on legitimate interests or for direct marketing.

Note: We don't engage in direct marketing beyond service-related communications. If you object to service-related emails, we'll accommodate where feasible.

What You Can Do: If processing is based on consent (e.g., optional marketing emails), withdraw consent anytime.

Effect: We'll stop that processing going forward (doesn't affect past processing).

Contact: privacy@policybridgeadvisors.com
Include:

• Your full name and contact info
• Description of your request
• Proof of identity (to prevent unauthorized access)

Verification: We may ask for additional identification (e.g., matching email address on file, last four digits of payment method) to confirm your identity.

No Fee: Exercising your rights is free (unless requests are excessive or manifestly unfounded).

If you're in the European Union, European Economic Area, or United Kingdom:

• Legal Mechanism: Standard Contractual Clauses (SCCs) approved by the European Commission
• Safeguards: We implement supplementary measures (encryption, access controls) to ensure GDPR-equivalent protection
• Data Protection Officer: Available for EU-specific inquiries

For clients outside the U.S., EU/EEA, or UK:

• We apply the same high standards of data protection regardless of your location
• Data may be processed in the United States under this policy's terms
• You retain all rights outlined in Section 6

1. Immediate Containment: Isolate affected systems to prevent further unauthorized access
2. Investigation: Determine scope, cause, and affected data
3. Notification:
   • Affected clients: Notified within 72 hours of discovery
   • Regulatory authorities: As required by law (e.g., GDPR, state breach notification laws)
4. Remediation: Fix vulnerabilities, enhance security measures
5. Support: Offer credit monitoring or identity theft protection if Social Security numbers or financial data compromised

Breach notifications will include:

• Description of the incident
• Types of data involved
• Steps we're taking to address the breach
• Recommended actions you can take (e.g., monitor credit, change passwords)
• Contact information for questions

Services Not Directed at Minors: Our services are intended for adults (18+) and businesses. We do not knowingly collect data from children under 18.

If You're a Parent/Guardian: If you believe we've inadvertently collected information from a minor, contact us immediately at privacy@policybridgeadvisors.com. We will:

1. Immediately cease processing
2. Delete all related data
3. Cease processing related to that individual

COPPA Compliance: We comply with the Children's Online Privacy Protection Act (16 CFR Part 312).

Anonymization Techniques:

• K-Anonymity: Ensuring each data point is indistinguishable from at least K-1 others
• Data Suppression: Removing direct identifiers (names, addresses, emails)
• Generalization: Replacing specific values with ranges (e.g., "30-40 years old" instead of exact age)
• Noise Addition: Statistical techniques to prevent re-identification

Example Uses:

• "75% of resume clients request executive formatting"
• "Average policy development timeline: 4-6 weeks"
• "Most common handbook section requests"

Re-Identification Prohibition: We do not and will not attempt to re-identify anonymized data or link it back to individuals.

With Your Written Consent Only:

• We may request permission to use de-identified project examples
• You control what information is shared
• You can withdraw consent anytime (future use only)

Default: Client projects remain confidential unless you explicitly opt-in.

Your Responsibility:

• Review privacy policies of third-party sites before providing information
• We're not responsible for their privacy practices

Social Media Buttons: "Share" buttons (LinkedIn, Twitter) are non-tracking until you click them. Clicking these buttons may allow social networks to track you per their own policies.

Embedded Content: Occasionally, we may embed content (e.g., YouTube videos for tutorials). These embeds may use cookies per the third party's policy. We use privacy-enhanced embed modes when available.

Cyber Insurance:

We carry cyber liability insurance covering:

• Data breach response costs
• Notification expenses
• Credit monitoring services (if applicable)
• Regulatory defense costs
• Third-party liability claims

Coverage Limits: Available upon request for enterprise clients requiring verification.

Not a Guarantee: While we maintain insurance, our primary focus remains on prevention through robust security measures.

Product Development:

• Privacy Impact Assessments (PIAs) for new services or major changes
• Data minimization review before launching new offerings
• Default privacy settings favor data protection

Training & Culture:

• Annual privacy training for all team members
• Privacy champion designated in each service area
• Quarterly privacy review meetings

Vendor Management:

• Privacy questionnaire for all new vendors
• Annual re-assessment of processor security
• Contractual right to audit processors

Continuous Improvement:

• Client feedback surveys on privacy practices
• Monitoring of regulatory changes (GDPR, CCPA, state laws)
• Participation in privacy professional organizations (IAPP)

1. Your data may be transferred to and processed in the USA
2. Safeguards:
   • Standard Contractual Clauses (SCCs) for EU/EEA/UK clients
   • Equivalent protections for clients in other jurisdictions
   • Encryption in transit and at rest
3. Your Rights: You retain all privacy rights granted by your local jurisdiction
4. Local Laws: We respect local data protection laws where they provide greater protections

Data Localization:

For clients with strict data residency requirements, we can discuss:

• EU-based cloud storage options (Google Workspace EU data centers)
• On-premises delivery models
• Restricted transfer agreements

Minor Changes (clarifications, formatting):

• Posted on website with "Last Updated" date
• No separate notification

Material Changes (new data uses, processor changes, reduced protections):

• Posted on website 30 days before effective date
• Email notification to active clients
• Highlighted summary of changes in notification

Your Options:

• Continue using services (acceptance of new terms)
• Object and request data deletion
• Exercise any rights under prior policy version during transition period

Policy Archive: Previous versions available at: [Link to policy archive] or upon request

Effective Date: October 23, 2025
Policy Version: 2.0
Next Scheduled Review: January 23, 2026

Governing Law:

This policy is governed by and interpreted under the laws of:

• California (state privacy law - CCPA/CPRA)
• United States federal law
• GDPR (for EU/EEA/UK clients)
• Applicable jurisdiction of client's residence

Severability: If any provision is found unenforceable, remaining provisions remain in full effect.