Privacy Policy
1. Purpose
The purpose of this policy is to establish a formal approach for protecting personal data processed by Optivate Agency. This policy outlines how we collect, use, retain, disclose, and protect personal data in accordance with applicable legal, contractual, and regulatory obligations.
2. Scope
This policy applies to:
- All employees, contractors, consultants, and third-party service providers who process personal data on behalf of Optivate Agency
- All processing activities involving personal data across all company systems and environments
- All data subjects whose personal data is collected, including:
- Clients
- Employees
- Vendors
- Website users
- Job applicants
3. Definitions
| Term | Definition |
|---|---|
| Personal Data | Any information relating to an identified or identifiable natural person |
| Data Subject | The individual whose personal data is processed |
| Processing | Any operation performed on personal data (collection, use, storage, deletion, etc.) |
| Controller | The entity that determines the purpose and means of processing (Optivate Agency) |
| Processor | A third party processing personal data on behalf of the controller |
| Sensitive Data | Personal data requiring enhanced protection (e.g., health data, ID numbers, location) |
4. Types of Personal Data Collected
Optivate Agency may collect and process the following types of personal data:
4.1 Client Data
- Full name, email address, company details
- Contact history and communication preferences
- Contract and billing information
- Feedback, support requests, and surveys
4.2 Employee & HR Data
- Government-issued IDs, tax and payroll information
- Employment history, performance reviews, leave records
- Health-related data (only where necessary for compliance)
4.3 Marketing & Website Data
- Visitor IP address, browser type, and device metadata
- Contact form submissions, newsletter signups
- Cookies, pixels, and tracking data (subject to consent)
5. Data Collection Methods
Data is collected through:
- Online forms on our website or landing pages
- Google Workspace (Gmail, Drive, Forms)
- Monday.com boards and automations
- HR/recruitment platforms or direct submissions
- Client onboarding and project engagements
- API integrations or usage logs (for services on AWS)
6. Lawful Basis for Processing
We process personal data under the following legal bases:
- Consent (e.g., newsletter subscriptions)
- Contractual necessity (e.g., project execution, employment contracts)
- Legal obligation (e.g., tax, regulatory reporting)
- Legitimate interest (e.g., service improvement, security monitoring)
7. Use of Personal Data
Personal data is used for the following purposes:
- Delivering and improving services
- Providing customer and technical support
- Fulfilling employment and payroll obligations
- Ensuring compliance with applicable laws
- Sending relevant marketing and service updates (opt-in only)
- Monitoring system performance and security
8. Data Minimization and Accuracy
- Only the minimum necessary data is collected and retained for its stated purpose
- Data is reviewed regularly for accuracy and relevance
- Data subjects can request corrections or updates via: infosec@optivateagency.com
9. Data Sharing and Disclosure
We may share personal data with:
- Internal departments strictly on a need-to-know basis
- Third-party service providers (e.g., Google, AWS, Monday.com) under data processing agreements
- Regulators, legal authorities, or courts under valid legal requests
- Third parties in the context of mergers, acquisitions, or restructuring (with privacy safeguards)
We do not sell, rent, or lease personal data to any entity.
10. Cross-Border Data Transfers
Where data is transferred across borders (e.g., to cloud services in the US or EU), we ensure:
- The use of Standard Contractual Clauses (SCCs) or other valid legal mechanisms
- Vendor compliance with GDPR, ISO 27001, or SOC 2 Type II certifications
- Data residency is honored where legally required or contractually agreed
11. Data Retention and Disposal
| Data Type | Retention Period |
|---|---|
| Client data | 7 years post-contract (for auditing) |
| Employee HR data | 6 years after termination |
| Recruitment data | 12 months (unless consent for longer) |
| Marketing contacts | Until withdrawal of consent |
- Data is securely disposed of using digital wiping or destruction methods
- Retention periods are reviewed annually and updated as needed
12. Data Subject Rights
Optivate Agency supports the following rights of individuals:
| Right | Description |
|---|---|
| Right of Access | Know what data we hold and why |
| Right to Rectification | Request correction of incorrect data |
| Right to Erasure | Request deletion (when not required to retain by law) |
| Right to Restrict Processing | Temporarily halt processing under certain conditions |
| Right to Object | Object to processing based on legitimate interest or direct marketing |
| Right to Data Portability | Receive data in a portable, machine-readable format |
| Right to Withdraw Consent | At any time, where consent is the basis of processing |
Requests must be submitted to: infosec@optivateagency.com
Response within 90 calendar days
13. Data Protection Measures
We use a combination of organizational and technical safeguards:
- Google Workspace: MFA, data loss prevention (DLP), secure Drive sharing
- AWS: IAM access control, encrypted EBS volumes, CloudTrail logging
- Monday.com: Role-based access, board visibility control
- Endpoint protection, firewalls, and antivirus
- Annual risk assessments and internal audits
- Privacy and security awareness training for all staff
14. Cookies and Tracking
- Our website uses cookies for analytics, personalization, and session management
- Users are informed and can opt-in to non-essential cookies
- Google Analytics and similar tools anonymize IP addresses
- A detailed cookie policy is available on our website
15. Third-Party Processors and Subprocessors
Optivate Agency partners only with subprocessors who:
- Provide data processing agreements (DPAs)
- Maintain high security standards (ISO, SOC 2, GDPR compliance)
- Permit audit and transparency of data handling
Examples:
- Google LLC (Workspace)
- Amazon Web Services (AWS)
- monday.com Ltd.
- [Optional: CRM, accounting platform, etc.]
16. Data Breach Notification
- All confirmed personal data breaches will be:
- Investigated and documented promptly
- Reported to relevant supervisory authorities (within 72 hours if required)
- Communicated to affected individuals when there is a risk of harm
- Response activities follow our Incident Management Policy
17. Roles and Responsibilities
| Role | Responsibility |
|---|---|
| Data Protection Officer | Ensure compliance, handle data subject requests, manage privacy risks |
| Information Security Team | Implement technical controls and monitor security logs |
| Department Heads | Ensure only necessary data is collected and access is restricted |
| All Employees | Adhere to privacy and security policies; complete privacy training annually |
18. Training and Awareness
- All employees undergo privacy awareness training during onboarding and annually
- Privacy topics are included in internal communications, security newsletters, and refresher workshops
- Role-specific training is provided for HR, marketing, sales, and tech teams handling personal data
19. Compliance and Enforcement
- Failure to comply with this policy may result in disciplinary action
- Serious violations (e.g., unauthorized disclosure or mishandling) may result in termination or legal action
- Internal audits are conducted to monitor compliance with this policy and applicable laws
20. Review and Updates
- This policy is reviewed annually by the DPO and Legal team
- It may be updated in response to:
- New legal or regulatory requirements
- Changes in business operations or platforms
- Lessons learned from privacy incidents or audits
