Privacy Policy

1. Introduction

Planetek ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website planetek.org (the "Site"), use our services, or engage with us for fractional technology leadership, code review, security audit, managed SOC services, or the Drift platform.

This Privacy Policy applies to all information collected through our Site, services, applications, and any related services, sales, marketing, or events (collectively, the "Services"). It also describes your privacy rights and how the law protects you.

By using our Services, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, please do not use our Services. Your continued use of the Services following the posting of changes to this policy will be deemed your acceptance of those changes.

2. Information We Collect

2.1 Personal Information

We may collect personal information that you voluntarily provide to us when you register for Services, express interest in obtaining information about us or our Services, participate in activities on the Site, or otherwise contact us. The personal information we collect may include:

• Name, email address, phone number, and company name
• Business contact information and job title
• Payment and billing information
• Communication preferences and correspondence

All personal information that you provide must be true, complete, and accurate, and you must notify us of any changes to such information.

2.2 Technical Information

When you access or use our Services, we automatically collect certain technical information about your device and usage patterns. This information is primarily needed to maintain the security and operation of our Services, and for our internal analytics and reporting purposes. The technical information we collect includes:

• IP address, browser type, and device information
• Usage data, including pages visited and time spent
• Cookies and similar tracking technologies
• Log files and analytics data

2.3 Service-Specific Information

In connection with providing our specialized security and code review services, we may collect and process additional technical information necessary to perform the Services. This service-specific information is collected only with your explicit authorization and includes:

• Source code and repository access credentials (encrypted)
• Infrastructure and system configuration data
• Vulnerability scan results and security findings
• Compliance and audit reports

All service-specific information is handled with the highest level of security and confidentiality in accordance with industry standards and our contractual obligations.

2.4 Information from Third Parties

We may receive information about you from various third-party sources to supplement the information we collect directly. These third-party sources help us maintain accurate records, provide better services, and comply with our legal obligations. Third-party information sources include:

• Business partners and service providers
• Public databases and credit bureaus
• Marketing and analytics providers
• Social media platforms (if you interact with us there)

We only collect third-party information where we have a legal basis to do so and where the third party has confirmed they have the right to share such information with us.

3. How We Use Your Information

We process your personal information for various purposes depending on how you interact with our Services, including:

3.1 Service Delivery and Operations

• Providing, operating, and maintaining our Services
• Processing transactions and managing payments
• Conducting code reviews, security audits, and vulnerability assessments
• Delivering managed SOC services and threat monitoring
• Providing fractional leadership consulting services
• Generating compliance reports and executive dashboards

3.2 Communication and Support

• Responding to inquiries and providing customer support
• Sending service-related notifications and security alerts
• Providing updates about Services, features, and changes
• Sending administrative information, invoices, and receipts

3.3 Business Operations and Improvement

• Monitoring and analyzing usage patterns and trends
• Improving and optimizing our Services and user experience
• Developing new products, services, and features
• Conducting research and analytics
• Testing, troubleshooting, and quality assurance

3.4 Security and Compliance

• Detecting, preventing, and addressing security incidents and fraud
• Protecting against malicious, deceptive, or illegal activity
• Enforcing our Terms of Service and other policies
• Complying with legal obligations and regulatory requirements
• Responding to legal requests and preventing harm

3.5 Marketing and Communications (With Consent)

• Sending marketing and promotional communications
• Delivering targeted advertising and content
• Conducting surveys and gathering feedback
• Hosting events and webinars

You may opt-out of marketing communications at any time by clicking the unsubscribe link in our emails or contacting us directly.

4. Data Sharing and Disclosure

We do not sell, trade, or rent your personal information to third parties for their marketing purposes. We may share your information in the following circumstances:

4.1 Service Providers and Business Partners

We may share information with third-party vendors, consultants, and service providers who perform services on our behalf, including payment processing, data hosting, email delivery, customer support, and analytics. These parties are contractually obligated to use your information only as necessary to provide services to us and are bound by strict confidentiality agreements.

4.2 Legal Requirements and Protection

We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., court orders, subpoenas, government agencies). We may also disclose information when we believe in good faith that disclosure is necessary to:

• Comply with legal obligations or regulatory requirements
• Protect and defend our rights, property, or safety
• Protect the rights, property, or safety of our users or the public
• Prevent or investigate possible wrongdoing, fraud, or security issues
• Enforce our Terms of Service or other agreements

4.3 Business Transfers and Corporate Transactions

In connection with or during negotiations of any merger, sale of company assets, financing, acquisition, divestiture, or dissolution of all or a portion of our business, your information may be transferred to the acquiring or successor entity. We will provide notice before your information is transferred and becomes subject to a different privacy policy.

4.4 With Your Consent

We may share your information for any other purpose with your explicit consent or at your direction.

4.5 Aggregated and De-Identified Data

We may share aggregated, anonymized, or de-identified information that cannot reasonably be used to identify you. This information may be used for research, analytics, marketing, or other business purposes without restriction.

5. Data Security

We implement comprehensive technical, administrative, and physical security measures designed to protect your information from unauthorized access, use, alteration, and disclosure:

5.1 Technical Safeguards

We employ industry-standard technical security measures to protect your information from unauthorized access, disclosure, alteration, and destruction. Our technical safeguards include, but are not limited to:

• Transport Layer Security: All data transmitted between your browser and our servers is encrypted using Transport Layer Security (TLS) version 1.2 or higher, ensuring secure HTTPS connections
• Data Encryption at Rest: All sensitive data stored in our databases and file systems is encrypted using Advanced Encryption Standard (AES) with 256-bit keys
• Multi-Factor Authentication: Access to our systems and administrative interfaces requires multi-factor authentication (MFA) combining passwords with time-based one-time passwords (TOTP) or hardware security keys
• Secure API Authentication: All API endpoints use OAuth 2.0 or API key authentication with rate limiting and request validation to prevent unauthorized access
• Security Patch Management: We maintain a rigorous schedule for applying security patches and updates to all systems, typically within 72 hours of critical vulnerability disclosure
• Intrusion Detection Systems: Network-based and host-based intrusion detection systems (IDS) continuously monitor for suspicious activity and potential security threats
• Web Application Firewall: A web application firewall (WAF) protects against common web exploits including SQL injection, cross-site scripting (XSS), and cross-site request forgery (CSRF)
• DDoS Protection: Distributed denial-of-service (DDoS) protection and mitigation services ensure service availability during attack attempts

These technical controls are regularly tested and updated to address emerging threats and maintain compliance with industry security standards including SOC 2, ISO 27001, and NIST Cybersecurity Framework.

5.2 Administrative Safeguards

We implement comprehensive administrative policies and procedures to ensure that only authorized personnel have access to personal information and that such access is limited to what is necessary to perform their job functions. Our administrative safeguards include:

• Access Control Policies: All access to personal information is governed by the principle of least privilege, ensuring employees and contractors can only access data necessary for their specific roles and responsibilities
• Role-Based Access Control: We implement role-based access control (RBAC) systems that assign permissions based on job function, with regular reviews and recertification of access rights conducted quarterly
• Background Checks: All employees and contractors with access to personal information undergo comprehensive background checks prior to employment, including criminal history and identity verification
• Security Training: Mandatory security awareness training is provided to all personnel upon hire and annually thereafter, covering topics including phishing prevention, data handling procedures, and incident reporting
• Confidentiality Agreements: All employees, contractors, and third-party service providers are required to sign confidentiality and non-disclosure agreements as a condition of access to our systems and data
• Incident Response Plan: We maintain a documented incident response plan that defines procedures for detecting, responding to, and recovering from security incidents, including breach notification protocols
• Security Audits: Regular internal security audits and third-party compliance assessments are conducted at least annually to verify adherence to security policies and identify areas for improvement

These administrative controls are documented in our Information Security Policy and are reviewed and updated annually or whenever significant changes occur to our operations or threat landscape.

5.3 Physical Safeguards

Our data is stored in secure, professionally managed data centers that implement multiple layers of physical security controls to prevent unauthorized physical access to servers and infrastructure. Physical safeguards include:

• SOC 2 Compliant Data Centers: All production data is hosted in data centers that maintain SOC 2 Type II certification, demonstrating compliance with rigorous security, availability, and confidentiality standards
• 24/7 Physical Security: Data centers employ round-the-clock security personnel, video surveillance systems with recording and retention, and visitor logging and escort procedures
• Biometric Access Controls: Entry to server rooms and sensitive areas requires multi-factor authentication including biometric verification (fingerprint or retinal scan) combined with access cards
• Environmental Controls: Facilities are equipped with fire suppression systems (including pre-action sprinklers and gaseous suppression), temperature and humidity monitoring, and water detection systems to protect against environmental hazards
• Redundant Infrastructure: Data centers maintain redundant power supplies with uninterruptible power systems (UPS) and backup generators, as well as redundant network connectivity from multiple carriers to ensure continuous availability

Our data center providers undergo regular third-party audits and maintain certifications including ISO 27001, PCI DSS, and HIPAA compliance where applicable.

5.4 Ongoing Security Practices

Security is not a one-time implementation but an ongoing process of monitoring, testing, and improvement. We maintain continuous security operations through:

• Penetration Testing: Independent third-party security firms conduct penetration testing of our applications and infrastructure at least annually, with critical findings remediated within 30 days
• Vulnerability Assessments: Automated vulnerability scanning is performed weekly on all internet-facing systems, with critical vulnerabilities addressed within 72 hours and high-severity issues within 7 days
• Security Code Reviews: All code changes undergo security-focused code review using both automated static analysis tools (SAST) and manual review by security-trained developers before deployment to production
• Security Monitoring: Our Security Operations Center (SOC) provides 24/7/365 monitoring of security events, with automated alerting for suspicious activities and dedicated security analysts investigating potential incidents
• Threat Intelligence: We subscribe to threat intelligence feeds and participate in information sharing communities to stay informed of emerging threats and vulnerabilities relevant to our technology stack
• Third-Party Audits: Independent auditors conduct annual assessments of our security controls, resulting in SOC 2 Type II reports that are available to customers under NDA

All security testing results are reviewed by our security team, and findings are tracked through remediation using our vulnerability management program.

5.5 Data Breach Notification

Despite our comprehensive security measures, no system can be completely immune to security incidents. In the unlikely event of a data breach that affects your personal information, we have established procedures to respond quickly and transparently:

We will notify affected individuals and relevant regulatory authorities as required by applicable law, typically within 72 hours of confirming the breach. Our notification will include: (a) a description of the nature of the breach, including the categories and approximate number of individuals and records affected; (b) the likely consequences of the breach; (c) measures we have taken or propose to take to address the breach and mitigate potential harm; (d) contact information for our data protection officer or other point of contact where more information can be obtained; and (e) recommendations for steps you can take to protect yourself.

Notifications will be provided via email to the address associated with your account, and where required by law, through additional means such as postal mail, telephone, or prominent website notice. We will also provide updates as our investigation progresses and additional information becomes available.

While we implement robust security measures, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security, but we continuously work to protect your information using industry best practices.

6. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.

6.1 Retention Criteria

We determine retention periods based on:

• The nature and sensitivity of the information
• The purposes for which we process the information
• Legal, regulatory, tax, and accounting requirements
• Contractual obligations and business needs
• Potential for disputes or litigation

6.2 Specific Retention Periods

• Account Information: Retained while your account is active and for 7 years after closure
• Transaction Records: Retained for 7 years for tax and accounting purposes
• Security Audit Data: Retained for 3-5 years depending on compliance requirements
• Marketing Data: Retained until you opt-out or for 2 years of inactivity
• Technical Logs: Retained for 90 days to 1 year for security and troubleshooting
• Legal Hold Data: Retained as long as necessary for legal proceedings

6.3 Data Deletion

Upon expiration of the retention period or upon your request (subject to legal obligations), we will securely delete or anonymize your personal information using industry-standard methods including:

• Secure deletion from active systems and databases
• Removal from backup systems within standard backup cycles
• Anonymization or pseudonymization where deletion is not feasible
• Physical destruction of hardware containing data when decommissioned

You may request deletion of your personal data at any time by contacting privacy@planetek.org. We will honor your request subject to legal retention requirements and legitimate business needs.

7. Your Privacy Rights

Depending on your jurisdiction, you may have the following rights:

7.1 GDPR Rights (EU/EEA)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have certain data protection rights under the General Data Protection Regulation (GDPR). These rights include:

• Right to access your personal data
• Right to rectification of inaccurate data
• Right to erasure ("right to be forgotten")
• Right to restrict processing
• Right to data portability
• Right to object to processing
• Right to withdraw consent

You also have the right to lodge a complaint with your local supervisory authority if you believe we have not complied with applicable data protection laws.

7.2 CCPA Rights (California)

California residents have specific privacy rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), including:

• Right to know what personal information is collected
• Right to delete personal information
• Right to opt-out of sale (we do not sell data)
• Right to non-discrimination for exercising rights

These rights are subject to certain exceptions and limitations as provided by applicable law. We will not discriminate against you for exercising any of your privacy rights.

To exercise these rights, contact us at privacy@planetek.com. We will respond within 30 days.

8. Cookies and Tracking Technologies

We use cookies, web beacons, pixels, and similar tracking technologies to collect and store information when you interact with our Services. These technologies help us provide, protect, and improve our Services.

8.1 Types of Cookies We Use

• Essential Cookies: Required for website functionality, authentication, and security. These cannot be disabled.
• Performance Cookies: Collect information about how you use our Services to help us improve performance and user experience.
• Functional Cookies: Remember your preferences and settings to provide enhanced, personalized features.
• Analytics Cookies: Help us understand usage patterns, measure traffic, and analyze user behavior (Google Analytics, etc.).
• Marketing Cookies: Track your activity across websites to deliver targeted advertising and measure campaign effectiveness (with consent).

8.2 Managing Cookies

You can control and manage cookies through your browser settings. Most browsers allow you to:

• View and delete cookies
• Block third-party cookies
• Block cookies from specific sites
• Block all cookies
• Delete all cookies when you close your browser

Note that disabling cookies may affect the functionality of our Services. For more information about cookies and how to manage them, visit www.allaboutcookies.org.

8.3 Do Not Track Signals

Some browsers include a "Do Not Track" (DNT) feature. Currently, there is no industry standard for how to respond to DNT signals. We do not currently respond to DNT signals, but we will update this policy if standards are established.

9. International Data Transfers

Your information may be transferred to, stored, and processed in countries other than your country of residence, including the United States, where our servers and service providers are located. These countries may have data protection laws that differ from those in your jurisdiction.

9.1 Legal Basis for Transfers

When we transfer personal information from the European Economic Area (EEA), United Kingdom, or Switzerland to other countries, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs): We use European Commission-approved SCCs for data transfers
• Adequacy Decisions: We transfer data to countries deemed adequate by the European Commission
• Binding Corporate Rules: Internal policies ensuring data protection across our organization
• Consent: We obtain your explicit consent where required

9.2 Data Transfer Impact Assessments

We conduct Transfer Impact Assessments (TIAs) to evaluate risks associated with international data transfers and implement supplementary measures where necessary to ensure adequate protection.

For more information about our international data transfer practices or to obtain copies of relevant safeguards, contact privacy@planetek.org.

10. Children's Privacy

Our Services are not intended for, nor directed to, individuals under the age of 18 ("Children" or "Minors"). We do not knowingly collect, use, or disclose personal information from Children without verifiable parental consent.

If we become aware that we have collected personal information from a Child without proper parental consent, we will take immediate steps to delete such information from our systems. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at privacy@planetek.org.

Parents and guardians should supervise their children's online activities and consider using parental control tools to prevent children from disclosing personal information without permission.

11. Third-Party Services and Links

Our Services may contain links to third-party websites, applications, and services that are not operated by us. We are not responsible for the privacy practices or content of these third parties.

We may use third-party service providers to support our Services, including:

• Payment Processors: Stripe for payment processing
• Cloud Infrastructure: AWS, Google Cloud for hosting and storage
• Analytics: Google Analytics for website analytics
• Communication: Email service providers for transactional and marketing emails
• Security Tools: Vulnerability scanning and threat intelligence providers

These third parties have their own privacy policies. We encourage you to review their privacy policies before providing any information to them. We are not responsible for their practices.

12. Changes to This Policy

We reserve the right to modify, update, or replace this Privacy Policy at any time to reflect changes in our practices, technology, legal requirements, or for other operational reasons.

12.1 Notification of Changes

When we make material changes to this Privacy Policy, we will notify you by:

• Updating the "Last Updated" date at the top of this policy
• Sending an email notification to the address associated with your account
• Posting a prominent notice on our website
• Providing in-app notifications (where applicable)

12.2 Your Acceptance

Your continued use of our Services after the effective date of any changes constitutes your acceptance of the revised Privacy Policy. If you do not agree with the changes, you must discontinue use of our Services and may request deletion of your account and personal information.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information. Material changes will be effective 30 days after notification, unless otherwise required by law.

13. California Privacy Rights

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA). This section provides detailed information about these rights and how to exercise them.

13.1 Your California Privacy Rights

California residents have the following rights regarding their personal information:

• Right to Know: Request disclosure of personal information collected, used, disclosed, or sold
• Right to Delete: Request deletion of personal information we have collected
• Right to Correct: Request correction of inaccurate personal information
• Right to Opt-Out: Opt-out of the sale or sharing of personal information (we do not sell data)
• Right to Limit: Limit the use of sensitive personal information
• Right to Non-Discrimination: Not receive discriminatory treatment for exercising your rights

13.2 Exercising Your Rights

To exercise these rights, submit a verifiable request to privacy@planetek.org. We will verify your identity before processing your request and respond within 45 days. We may extend this period by an additional 45 days when reasonably necessary, in which case we will notify you of the extension and the reason for it.

13.3 Shine the Light Law

California residents may also contact us for a list of personal information categories we disclosed to third parties for direct marketing purposes in the preceding calendar year, along with the names and addresses of those third parties. This request may be made once per calendar year and is free of charge.

14. Nevada Privacy Rights

Nevada residents who have purchased goods or services from us have the right to opt-out of the sale of certain personal information to third parties who will license or sell such information to additional third parties.

We do not currently sell your personal information as defined under Nevada Revised Statutes Chapter 603A. However, if you are a Nevada resident and wish to exercise your opt-out rights or have questions about our data practices, please contact us at privacy@planetek.org with "Nevada Privacy Rights" in the subject line.

15. Additional State Privacy Rights

In addition to California, several other U.S. states have enacted comprehensive privacy laws that grant residents specific rights regarding their personal information. If you are a resident of one of these states, you may have additional privacy rights as described below.

15.1 Virginia (VCDPA)

Virginia residents have rights under the Virginia Consumer Data Protection Act to access, correct, delete, and obtain a copy of their personal data. Virginia residents may also opt-out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects.

15.2 Colorado (CPA)

Colorado residents have similar rights under the Colorado Privacy Act to access, correct, delete, and port their personal data. Colorado residents may also opt-out of targeted advertising, sale of personal data, and certain profiling activities that produce legal or similarly significant effects concerning the consumer.

15.3 Connecticut (CTDPA)

Connecticut residents have rights under the Connecticut Data Privacy Act to confirm whether we process their personal data, access their data, correct inaccuracies, delete their data, and obtain a copy in a portable format. Connecticut residents may also opt-out of the processing of personal data for targeted advertising, the sale of personal data, or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects.

15.4 Utah (UCPA)

Utah residents have rights under the Utah Consumer Privacy Act to access, delete, and obtain a copy of their personal data. Utah residents may also opt-out of the processing of personal data for targeted advertising or the sale of personal data.

15.5 Exercising State Privacy Rights

To exercise any of these state-specific rights, please contact us at privacy@planetek.org with "[State Name] Privacy Rights" in the subject line. We will respond to your request within the timeframes required by applicable state law, typically within 45 days. We may need to verify your identity before processing your request and may deny requests in certain circumstances as permitted by law.

16. Contact Us

For questions about this Privacy Policy, to exercise your rights, or to file a complaint, contact us:

If you are located in the EU/EEA, you also have the right to lodge a complaint with your local data protection authority.