Introduction

Circumference Tech, LLC (“Circumference Tech,” “we,” or “us”) is a Minnesota-based IT consultancy and product company that provides cybersecurity consulting, auditing, and cloud-native software products to small and mid-sized U.S. businesses. We are committed to protecting the privacy of our business customers and their organizational data. In line with our core values, we collect and use only the minimum personal information necessary to deliver our services and we maintain transparency about our data practices. This Privacy Policy explains what information we collect, how we use and safeguard it, and the choices and rights available to our users. Our services are designed for business use in the United States only, and we do not offer services to individual consumers or minors.

Scope and Applicability

This Privacy Policy applies to the personal and organizational information we collect in the course of providing Circumference Tech services to our U.S.-based business customers. We do not target or knowingly collect data from individuals outside the United States, and our services are not intended for use by consumers or anyone under the age of 18. Because of this U.S.-only focus, our data practices are not governed by international privacy frameworks such as the EU General Data Protection Regulation (GDPR) or sectoral laws like HIPAA (which applies to health information) – our services do not involve protected health information and are outside the scope of those laws. However, we strive to follow general U.S. data privacy best practices including transparency about our practices, collecting only what is necessary, implementing security safeguards, and respecting user rights to access and control their information.

Information We Collect

We only collect information that is necessary to provide our consulting, auditing, and cloud-native product services. This includes:

• Business Contact Information: Names and work email addresses of client personnel using our services or involved in projects. We may also collect other contact details such as job title, phone number, or business mailing address as needed to manage the account.

• Technical Identifiers: Information like IP addresses and device identifiers used when connecting to our services. This helps with security, network management, and audit logging.

• Organizational Data: Data about the customer’s organization that is relevant to our services. For example, this can include company name, industry, and IT system information provided during audits or consulting engagements. It may also include account configuration details for our products (e.g. tenant IDs, user IDs within the client’s organization) and other information entered into our cloud-native tools as part of normal use.

We do not collect any personal information that is not necessary for these purposes. In keeping with the principle of data minimization, if we don’t need a piece of information to serve you, we do not collect it. In particular, we do not knowingly collect sensitive personal data such as social security numbers, home addresses, personal financial or health information, or data about children or individual consumers, since our services are business-oriented. All information we collect is typically provided directly by the customer or generated through their use of our services (for instance, logs of service usage and IP addresses).

How We Use Information

We use the information we collect strictly to deliver, maintain, and improve our products and services to our business customers. The uses of personal and organizational data include:

• Service Delivery: We use contact and organizational information to set up and manage customer accounts, conduct consulting engagements, perform IT audits, and provide access to our cloud-native products. For example, we will use your name and email to identify you and communicate regarding project work or product access.

• Communication: We may send service-related communications, such as project updates, audit findings, support responses, reports, and administrative emails. We use your contact information to inform you about critical updates or changes to services and to coordinate with you during engagements.

• Product Functionality: Technical data like IP addresses and device identifiers are used to enable secure access to our online products, to maintain session security, and to monitor system performance. This data helps us ensure reliable and secure service delivery.

• Improvement and Analytics: We may internally analyze aggregated usage data or audit results to improve our offerings and ensure quality. Any such analysis will use de-identified or aggregated information whenever possible.

• Security and Compliance: Information (such as logs of access or account information) may be used to detect, prevent, and respond to security incidents or potentially unauthorized activities. We also may use data as necessary to comply with applicable U.S. laws, regulations, and our contractual obligations (for example, maintaining records of services provided for compliance or audit purposes).

We use your data only for the purposes communicated in this policy or within our agreements with your organization, and not for any unrelated purposes. We do not use personal information for marketing to individual consumers, profiling, or any purpose outside the scope of providing services to our business clients. If we ever need to use personal data for a new purpose, we will obtain proper consent or provide notice as required. Our goal is to be transparent about how we use your information and to ensure each use is aligned with serving you and your organization’s needs.

Data Sharing and Third-Party Services

Circumference Tech does not sell or rent any personal or organizational data to third parties. We will never monetize your information or share it for others’ marketing or unrelated uses – this is a firm policy in line with our values of privacy and trust. Any sharing of data is limited to the following circumstances:

• Service Providers: We may share certain data with trusted third-party service providers strictly for the purpose of operating and supporting our services on our behalf. For example, our cloud-native products and IT solutions are built on reliable third-party infrastructure such as Microsoft’s cloud services and Cloudflare’s network platform. These providers host or transmit data as needed for us to deliver functionality (e.g. data storage, networking, email delivery). We may also use other vendors for things like customer relationship management or support ticketing. In all cases, these service providers are only permitted to use the data to provide services to Circumference Tech and for no other purpose. We vet and contractually bind our third-party providers to strong privacy and security standards before engaging them. Each such provider undergoes a security review aligned with our internal risk and compliance requirements to ensure they meet our standards for protecting data.

• Legal Compliance and Protection: We may disclose information if required to do so by U.S. law or lawful requests by public authorities (e.g., in response to a subpoena or court order). We may also share data when necessary to establish or exercise our legal rights, to enforce our agreements, to investigate fraud, or to protect the rights, property, or safety of Circumference Tech, our customers, or others.

• Business Transfers: If Circumference Tech is involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, or sale of all or part of our business, customer information may be disclosed to the parties involved and their advisers as part of evaluating or completing the transaction. In such cases, we would ensure that appropriate confidentiality and privacy protections are in place and that any successor to our business continues to handle personal data in line with this Privacy Policy.

Aside from the situations above, we do not share personal information with any third parties. We do not share or exchange data for cross-context behavioral advertising or any form of data “selling” under any definition. Our use of third-party tools and infrastructure is strictly to enable the services we provide to you, and we remain accountable for how your information is used. We maintain clear agreements with our vendors to prevent unauthorized data access, disclosure, or data selling.

Data Security

We take the security of your data very seriously and implement appropriate technical and organizational measures to safeguard personal and organizational information. Circumference Tech’s infrastructure and internal practices are aligned with industry security standards (for example, we follow controls based on NIST Special Publication 800-53 for information security). Key security measures include:

• Encryption and Access Control: Sensitive data entrusted to us is protected by encryption both in transit (e.g. via TLS for data sent between your device and our services) and at rest in our systems. We restrict access to personal data to authorized personnel on a need-to-know basis, and we employ strong authentication and access controls to prevent unauthorized access.

• Network and Infrastructure Security: Our products run on reputable cloud platforms (such as Microsoft Azure and Cloudflare) known for their robust security features. We leverage built-in security monitoring, firewalls, and threat detection tools provided by these platforms, and we continuously monitor our environment for potential vulnerabilities or intrusions.

• Policies and Training: Internally, we maintain policies and standard operating procedures that enforce data protection practices. All team members are trained on confidentiality and privacy responsibilities. We also require that we have a Non-Disclosure Agreement (NDA) in place with every client engagement – we never access or use an organization’s sensitive information without a formal NDA to protect it. This underscores our commitment to confidentiality for client data.

• Risk Management and Testing: We regularly assess our security controls and practices. This includes periodic risk reviews, compliance checks, and audits of our systems. By aligning with recognized frameworks and best practices, we aim to proactively mitigate risks to client data. We also maintain incident response plans to handle any security events swiftly and transparently.

• Resilience and Backup: In line with our value of “Serenity Through Security,” our architecture is designed with redundancies and backups to protect data integrity. In the unlikely event of a security breach or systems issue, these measures help ensure that any exposure of data is minimized and that we can restore services and data from secure backups.

While no method of data transmission or storage can be guaranteed 100% secure, we continuously strive to protect your information using state-of-the-art security measures and to update our safeguards as new threats emerge. We also encourage our customers to take steps on their side, such as protecting account credentials, to help keep their information safe.

Data Retention and Deletion

We retain personal and organizational data only for as long as it is necessary to fulfill the purposes described in this policy or as required by our business contracts and applicable laws. In general, this means we keep your information for the duration of your organization’s active contract or account with Circumference Tech and for a reasonable period thereafter to wrap up services, resolve disputes, or as needed for legal/compliance recordkeeping. We periodically review the data we hold and securely delete or anonymize information that is no longer needed. We do not keep personal data indefinitely without justification.

Importantly, we provide our users with a convenient way to request deletion of their personal data. You (or an authorized representative of your organization) have the right to request that we terminate and delete your data from our systems. We offer a self-service portal for data deletion requests at DeleteMyData.circumferencetech.com. Through this portal, you can authenticate and submit a request to have all personal information we hold about you removed. Once we receive a deletion request through the portal, we will verify the request and proceed to erase or anonymize the personal data associated with your account within our records, provided that we are not required to retain it for legitimate business or legal reasons. If for some reason we must retain certain data (for example, for financial recordkeeping or legal compliance), we will inform you about that and ensure such data is protected and only retained for the necessary period. Otherwise, termination of your data means we will permanently delete your personal identifiers and any link between you and the organizational data in our systems.

Please note that deletion of data may be irreversible. After we fulfill a deletion request, we may retain non-identifying information (e.g. aggregated service usage statistics that no longer identify any individual) for analytical purposes, but this data will not be traceable back to you. We will also maintain a record that a deletion request was fulfilled, as required to document our compliance.

Your Rights and Choices

As a business user of Circumference Tech services, you have certain rights and choices regarding your personal information:

• Access and Update: You may contact us at any time to inquire about the personal data we have about you. We will provide you with a summary of your information and, if needed, help you update or correct any inaccuracies. Because our services are provided to organizations, some updates (like changing a work email on an account) may need to be coordinated through your employer, but we will assist in ensuring your information remains accurate.

• Data Deletion: As noted above, you have the right to request deletion of your personal data. The fastest way to do so is via our DeleteMyData portal. You can also contact us directly to request deletion. We will honor deletion requests and remove your data from our active systems, barring any data we must keep to meet legal or contractual obligations.

• Opt-Out of Communications: We do not send marketing emails to individual users, but we may send service-related or product update communications. If at any time you or your organization’s point of contact prefer not to receive certain types of optional communications from us, you can inform us and we will respect your preferences. (Note that you will still receive essential service and account communications.)

• Non-Discrimination: We will not penalize or discriminate against any user for exercising privacy rights in good faith. Even though we primarily service businesses, we extend this principle to all individuals engaging with our services. For example, if you request data deletion, we will not deny you service or provide a different quality of service as a result; we will simply carry out the request as long as it is feasible and consistent with providing the service.

To exercise any of these rights or if you have questions about your rights, you can reach out via the contact information provided at the end of this policy. We will require appropriate verification (and possibly coordination with your employer’s account administrator) before releasing or modifying information, to ensure that we do not give access to data to an unauthorized person.

U.S.-Only Service and Regulatory Compliance

Circumference Tech’s services are limited to U.S. jurisdictions. We currently only offer our consulting, audit, and software services to clients located in the United States, and we process data on servers located in the U.S. Because we do not operate internationally or handle the data of non-U.S. persons, global data protection laws like the GDPR do not apply to our operations. We do not intend to offer services in the European Union or other regions that would subject us to GDPR or similar international privacy laws. If this ever changes in the future, we will update our practices and this policy accordingly to ensure compliance and transparency.

Additionally, Circumference Tech is not a “covered entity” or “business associate” under HIPAA, and we do not collect or manage protected health information. Our services are not designed for healthcare providers or for processing personal health records. Therefore, HIPAA regulations are generally not applicable to the data we handle. In the event that we inadvertently encounter any sensitive data subject to laws like HIPAA, we will handle it with the highest care and either return or delete it as appropriate, since it is outside our service scope.

That said, we are committed to abiding by applicable U.S. federal and state privacy laws that do govern our activities. We monitor developments in U.S. privacy regulations to ensure we meet any requirements that apply to us. Even where specific laws (like consumer privacy laws in certain states) may not strictly apply because of our B2B focus, we aim to uphold their underlying principles as a matter of good practice. Our approach is to treat all personal data with respect and care, adhering to fundamental principles of privacy and security that are consistent across many regulatory frameworks – such as notice, transparency, data minimization, security safeguards, and allowing individuals reasonable control over their data. By proactively following these best practices, we maintain trust with our clients and reduce risk, regardless of the regulatory technicalities.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our services, legal requirements, or privacy practices. If we make a significant change in the way we handle your personal information, we will provide prominent notice – for example, by posting the updated policy with a new effective date on our website and, when appropriate, informing our client contacts via email or within the service. We encourage you and your organization’s administrators to review this Policy periodically to stay informed about how we are protecting your information. The “last updated” date at the top of the policy will always indicate the most recent revision. Continued use of our services after an update constitutes acknowledgment of the updated terms.

Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or how Circumference Tech handles your data, please do not hesitate to contact us. You can reach our privacy team by email at privacy@circumferencetech.com.

Additionally, for data deletion requests, you may use our dedicated portal at DeleteMyData.circumferencetech.com as described above. We are here to help and will respond as promptly as possible to ensure your questions are answered and your rights are respected.

Your trust is extremely important to us. Circumference Tech is built on the values of autonomy, creativity, and security – and privacy is paramount in upholding those values. We appreciate the opportunity to work with you and are committed to protecting your data while delivering our “Full Circle” IT solutions.