TL;DR –> This is long and boring (but important).

So here’s a summary:

Summary

• We intentionally keep to a minimum the information we hold about you
• We use your data to provide services to you, respond to your enquiries, manage our relationship with you, meet obligations, and generally operate a consultancy
• We delete your data when it’s no longer needed for these things
• We don’t give your information to third parties, but there are some exceptions
• You have lots of privacy rights
• We legit take privacy and security seriously
• We don’t track you (but Google and others might)
• We don’t use cookies here
• We’re happy to answer your questions – ask away to hi [at] resilience dot sh

This page was last edited in January of 2021 (so prolly needs an update)

More Detail

Hi. We’ve put real effort into helping you understand practices for this site. As a consultancy, we avoid collecting any data about you that’s not absolutely needed and we absolutely do not sell any data about you, especially not to anyone else.

This consultancy is based in the United States & supports the EU’s General Data Protection Regulation (GDPR) as well as the US’s California Consumer Protection Act (CPRA, too), New York’s SHIELD, and we’re currently trying to keep up with new legistation at the state level emerging across the U.S., on behalf of all users, regardless of citizenship or residency status. We believe everyone deserves to have their information treated with respect. At the very least, we are going to do our best to demonstrate to you that we’re trying.

By using this site you agree to accept our practices. We may make changes to the Privacy Policy from time-to-time but will always post updates here. If you don’t agree with them don’t use this site. If you continue to use this site after changes are made to the Privacy Policy that means you accept those changes.

We’re the data controller responsible for this site. You can contact us with questions about this policy:

• Email: privacy [at] resilience dot sh

This Privacy Policy is designed to achieve two things:

1. To help educate others about stuff like this and why it’s important. Not a small or easy task. Honestly, if you’ve read this far that’s progress.
2. To describe to you how information is collected and how your personal information is used in compliance with data protection laws within the United States of America (US) + the European Union (EU), including the EU-US + Swiss – US Privacy Shield Frameworks as set forth by the US Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and Switzerland to the US, respectively, in addition to the EU’s General Data Protection Regulation (GDPR) and the US’s California Consumer Protection Act (CCPA).

This Privacy Policy addresses things like:

• What ‘Personal Information’ is
• Kids and COPPA
• Your rights to your information
• Cookies and stuff: behavior tracking technologies (we don’t use them)
• The kinds of information about you we might collect
• Why we collect it
• How your information is used

What is “Personal Information”?

Generally speaking, “Personal Information” is your name, address, date of birth, phone number, and email address. Any information that can personally identify you. In the scope of services we provide, the information we typically collect includes your first name, last name, and business email address. We don’t use any of this for any marketing purposes, by the way. You are free to browse this site without providing any information. We do collect your contact information, however, when you contact us for services.

Kids and COPPA

We care about keeping kids safe online and want to help you protect your children’s privacy, too. We encourage you to talk to your kids about what ‘personal information’ is and help them understand how to ensure safe and responsible use of their personal information while they’re using the Internet.

We comply with the Children’s Online Privacy Protection Act of 1998 (COPPA), which means our site isn’t intended to be used by anyone under 13 years old, so we don’t intentionally gather Personal Information from visitors under that age. If you’re under 13 and reading this, please don’t submit any information. Thanks.

It is possible, however, that we could receive information pertaining to someone under 13 via fraud or deception by a 3rd party. If we are notified of this, we’ll verify the information, and immediately obtain the appropriate parental consent/confirmation regarding that information or, if unable to obtain such parental consent, we’ll securely delete the information comprehensively from our systems.

If you would like to notify us of receipt of information about persons under 13, please do so by sending an email to privacy [at] wimzkl.com

Your rights to your information

Within the rules of the frameworks mentioned at the top of this policy, you should know that you have the following rights:

• to request access to your information + information related to the use + processing of your information;
• to request the correction or deletion of your information – this is arguably one of the coolest tenets of the GDPR.  Article 17  provides your “Right to be Forgotten”;
• to request that we restrict our use of your information;
• to receive information which you have provided to us in a structured, commonly used and machine-readable format (e.g. a CSV file) and the right to have that information transferred to another data controller (including a 3rd party data controller);
• to object to the processing of your information for certain purposes;
• to withdraw your consent to our use of your information at any time where we rely on your consent to use or process that information. Please note –> if you withdraw your consent, this will not affect the lawfulness of our use and processing of your information on the basis of your consent before the point in time you chose to withdraw your consent.

Article 77 of the GDPR states you also have the right to lodge a complaint with a supervisory authority, in particular your state of residence or place of work of an alleged infringement of the GDPR. You can also find out further information about your rights, as well as information on any limitations which apply to those rights, by Articles 12 to 22 + 34 of the GDPR.

Verifying your identity where you request access to your information

Whenever you request access to your information, we are required to use all reasonable measures to verify your identity first in order to protect your information and reduce risk of identity fraud, identity theft and/or unauthorised access to your information.

How we verify your identity

We’ll do our best to verify your identity using information available to us. If it’s not possible to identify you due to insufficient information, for example, we may require additional documentation before we can responsibly grant access to your information. We will, however, be able to confirm the precise information required to verify your identity in your specific circumstances if and when you make such a request.

Cookies and stuff: behavior tracking technologies

We don’t use cookies, analytics, behavioral profiling tools or tracking technologies or any kind, such as hidden pixels, gifs or Web beacons. We don’t like to be tracked or profiled and we presume you don’t, either. Our new business leads come from building relationships, real connections to real people, not by covertly collecting information on the habits of strangers. Battles of taste may never be won but this is how we choose to do things, even if it costs us a few leads now and then.

Wanna opt out of behavioral tracking on websites that use such tools? Here’s how: https://optout.aboutads.info 

We don’t use Google Analytics, either. Here’s some useful info about that, too: https://www.google.com/analytics/learn/privacy.html.

Want to limit other sites’ use of cookies on your devices?  Learn more here: https://www.allaboutcookies.org or https://www.youronlinechoices.eu.

“Do Not Track” is a privacy preference you can set in browsers. When you enable Do Not Track, the browser sends a message to sites requesting that they do not track you. Learn more this: https://www.allaboutdnt.org

Here’s some important stuff to know about cookies, too:

• European Interactive Digital Advertising Alliance (EU)
• Internet Advertising Bureau (US)
• Internet Advertising Bureau (EU)

Be aware that different browsers handle cookies differently:

• Google Chrome
• Internet Exploder
• Mozilla Firefox
• Safari (Desktop)

Here’s a great tool to test your browser against common tracking: https://panopticlick.eff.org

What personal information do we collect?

Email

When you contact us via email, you submit Personal Information that may include names, email addresses, as well as any info you share in the body of the email so we can promptly respond to your inquiry.

When you do that, you consent to our collection, use, and disclosure of your Personal Information in accordance with our Privacy Policy. Other information we might collect includes public information available on the Internet or information obtained from other service providers in order to better understand your business, for example, so we can design and deliver the best experience or solution possible in our work together:

Legal basis for processing: Our legitimate interests (Article 6(1)(f) of the GDPR)

Legitimate interest(s): Responding to inquiries, messages we receive, and keeping records of that correspondence.

Transfer + storage of your information: We use a 3rd party email provider to store messages you send to us. Our providers are based in Australia and Switzerland.

Country of storage: US, which isn’t subject to an adequacy decision by the European Commission.

Safeguard(s) used: Our 3rd party email provider has self-certified its compliance with the EU-US Privacy Shield which is available here. The EU-US Privacy Shield is an approved certification mechanism under Article 42 of the GDPR, which is permitted under Article 46(2)(f) of the GDPR. You can access the European Commission decision on the adequacy of the EU-US Privacy Shield here, too.Phone

When you contact us by phone, we collect your phone number and any information provided to us during your conversation with us. We do not record phone calls:

Legal basis for processing: Our legitimate interests (Article 6(1)(f) of the GDPR)

Legitimate interest(s): Responding to inquiries, messages we receive, and keeping records of that correspondence.

Transfer and storage of your information: Information about your call, such as your phone number, including the date and time of your call, is processed by our 3rd party telephone service provider and stored in the US.Post (Snail Mail)

If you contact us by post, we will collect any information you provide to us in any postal communications you send us:

Legal basis for processing: Our legitimate interests (Article 6(1)(f) of the GDPR).
Legitimate interest(s): Responding to inquiries, messages we receive, and keeping records of that correspondence.

Transfer + storage of your information: Information you send us by post is stored in the US.Processing your payment

When working with us you will need to make payment for the services you have purchased. We process your payment using a 3rd party, PayPal:

Legal basis for processing: Necessary to perform a contract (Article 6(1)(b) of the GDPR).

Reason why it’s necessary to perform a contract: To fulfil your contractual obligation to pay for the services you have ordered from us.

3rd party payment processors

The 3rd party payment processor we use, PayPal, collects, uses, and processes your information, including payment information, in accordance with their privacy policy.

Transfer + storage of your information: PayPal may transfer information relating to your transaction and the processing of your transaction outside the European Economic Area. Where they do so, they will put appropriate safeguards in place.Information Received from 3rd Parties

Generally, we do not receive information about you from 3rd parties. The 3rd parties from which we might receive information about you is typically other businesses and clients we work with who may recommend us to you. These could be in any industry, sector, sub-sector or location.

It’s also possible that 3rd parties with whom we have had no prior contact may provide us with information about you, but only with your consent.

Information we obtain from 3rd parties will generally be your name and contact details, but will include any additional information about you which they provide to us:

Legal basis for processing: Necessary to perform a contract or to take steps at your request to enter into a contract (Article 6(1)(b) of the GDPR).

Reason why it’s necessary to perform a contract: Where a 3rd party has passed on information about you to us (such as your name and email address) in order for us to provide services to you, we’ll process your information at your request to enter into a contract with you and perform a contract with you (as the case may be).

Legal basis for processing: Consent (Article 6(1)(a) of the GDPR).
Consent: Where you’ve asked a 3rd party to share information about you with us and the purpose of sharing that information is not related to the performance of a contract or services by us to you, we’ll process your information with your consent, which you give by asking the 3rd party to share your information with us:

Legal basis for processing: Our legitimate interests (Article 6(1)(f) of the GDPR).

Legitimate interests: Where a 3rd party has shared information about you with us and you have not consented to the sharing of that information, we will have a legitimate interest in processing that information in certain circumstances. To delete it, for example.

Another example might be something like this: we would have a legitimate interest in processing your information to perform our obligations under a sub-contract with the 3rd party, where the 3rd party has the main contract with you. Our legitimate interest is our performance and obligations under our sub-contract.

Similarly, 3rd parties may pass on information about you to us if you have infringed or potentially infringed on any of our rights. In this case, we’ll have a legitimate interest in processing that information to investigate any such potential infringement:

Legal basis for processing: Our legitimate interests (Article 6(1)(f) of the GDPR).

Legitimate interests: In certain circumstances, we’ll have a legitimate interest in obtaining information about you from public and private sources. For example, if you have infringed or we suspect that you have infringed any of our legal rights, we will have a legitimate interest in obtaining + processing information about you from such sources in order to investigate + pursue any suspected or potential infringement.Information obtained by us from 3rd parties

In certain circumstances (for example, to verify the information we hold about you or obtain missing information we require to provide you with a service) we will obtain information about you from certain publicly accessible sources, both EU + non-EU, such as business directories, media publications, social media, and sites (including your own, if you have one). We may do this, for example, if we have insufficient information to be able to contact you or understand your business for the purposes of working together.

Legal basis for processing: Necessary to perform a contract or to take steps at your request to enter into a contract (Article 6(1)(b) of the GDPR).
Reason why it’s necessary to perform a contract: Where you have entered into a contract or requested that we enter into a contract with you, in certain circumstances, we will obtain information about you from public sources in order to enable us to understand your business and provide you with quality services to our standards.

How do we use your information?

We may process your information for legitimate business purposes. We make efforts to consider and balance any potential impact on you and your rights under applicable data protection laws. Legitimate business purpose primarily include how to improve our services or to investigate fraud or for other legal purposes.

For example, this site is hosted by 3rd party technology infrastructure located in the US that automatically logs IP addresses used to access this site as well as other information about your visit, such as the pages you accessed, information requested, the date/ time of the request, the source of your access to this site (e.g. the URL or link that referred you to our site), your browser version, and operating system.

Our 3rd party hosting provider stores server logs to ensure network and IT security so the server, systems, and site(s) are resistant and resilient to compromise. We use automated tools to analyze log files that identify nefarious activity and help prevent unauthorised access to our network, the distribution of malicious code, denial of services attacks, and other cyber attacks, by detecting unusual or suspicious activity.

Unless we are engaged in investigating suspicious or potential criminal activity, we don’t make request of or allow our provider to make any attempt to identify you or your online browsing habits from the information collected via those logs:

Legal basis for processing: compliance with a legal obligation to which we are subject (Article 6(1)(c) of the GDPR).

Legal obligation: we have a legal obligation to implement appropriate technical and operational measures to ensure baseline levels of security appropriate to the risk of our processing of information about individuals. Recording access to our website using server log files is such a measure:

Legal basis for processing: our legitimate interests (Article 6(1)(f) of the GDPR).

Legitimate interests: we have a legitimate interest in using your information for the purposes of ensuring network and information security.

Distribution of Information
We reserve the right to disclose your Personal Information under the following conditions: (1) when permitted or required by law; (2) when trying to protect against or prevent actual or potential fraud or unauthorized transactions; or (3) when investigating fraud which has already taken place. The information is never provided to other organizations for marketing purposes.

It may go without saying but to be explicit: we ask that you don’t use our site or services for any means that are deceptive, malicious, or with the intention to abuse or misuse any computer system, organization, or person. Use of our site or services for any of the purposes outlined in this paragraph is strictly prohibited.Disclosure of Your Information to Service Providers

We use a number of 3rd parties to provide us with services which are necessary to run our business and to assist us with running our business + who process your information for us on our behalf. These include the following:

• Telephone providers (US),
• Email providers (US + Switzerland),
• IT service providers (US + Switzerland),
• Hosting provider (US).

Your information will be shared with these service providers only where necessary to enable us to run our business.

Disclosure of Criminal Acts or Threats to Public Security to a Competent Authority

If we suspect that criminal or potentially criminal conduct has occurred, we will in certain circumstances need to contact an appropriate authority, such as the FBI. This could be the case, for instance, if we suspect that fraud or a crime has been committed or if we receive threats or malicious communications towards us or 3rd parties we are working with.

We’ll generally only need to process your information for this purpose if you were involved or affected by such an incident in some way:

Legal basis for processing: Our legitimate interests (Article 6(1)(f) of the GDPR).
Legitimate interests: Preventing crime or suspected criminal activity (such as fraud).

Enforcement of Our Rights

We’ll use your information in connection with the enforcement or potential enforcement of our rights, including sharing information with debt collection agencies if you don’t pay amounts owed to us when you are contractually obliged to do so. Our legal rights may be contractual (where we have entered into a contract with you) or non-contractual (such as legal rights that we have under copyright law, for example):

Legal basis for processing: Our legitimate interests (Article 6(1)(f) of the GDPR).
Legitimate interest: Enforcing our legal rights and taking steps to enforce our legal rights.

Legal Dispute or Proceedings

We may need to use your information if we are involved in a dispute with you or a 3rd party. For example, either to resolve the dispute or as part of any mediation, arbitration, court resolution or similar process:

Legal basis for processing: Our legitimate interests (Article 6(1)(f) of the GDPR).
Legitimate interest(s): Resolving disputes + potential disputes.

Compliance with Laws, Regulations + Other Legal Requirements

We’ll use and process your information in order to comply with legal obligations to which we are subject. For example, we may need to disclose your information pursuant to a court order or subpoena if we receive one in connection with suspected or potential money laundering matters:

Legal basis for processing: Compliance with a legal obligation (Article 6(1)(c) of the GDPR).

Legal obligation(s): Legal obligations to disclose information which are part of the laws of Illinois or if they have been integrated into the US’s legal framework (for example in the form of an international agreement which the US has signed with the EU).

Legal basis for processing: Our legitimate interests (Article 6(1)(f) of the GDPR).

Legitimate interest: Where the legal obligations are part of the laws of another country and haven’t been integrated into the US’ legal framework, we have a legitimate interest in complying with these obligations.

3rd Parties
To provide our services, we may occasionally use 3rd party businesses to provide and perform specialized products and services for data processing. When we provide Personal Information to these businesses, they aren’t permitted to use the Personal Information for any reason outside of the scope for which we contracted them:

Legal basis for processing: Legitimate interests (Article 6(1)(f) of the GDPR).

Legitimate interest(s): Sharing your information with a prospective purchaser, seller or similar person in order to allow such a transaction to take place.

We may share your information with 3rd parties, which are either related to or associated with the running of our business, where it’s necessary for us to do so. These 3rd parties include our accountants, advisors, affiliates, business partners, independent contractors and insurers:

Legal basis for processing: Our legitimate interests (Article 6(1)(f) of the GDPR).

Legitimate interest: Running and managing our business efficiently.

Payment processing When you pay for services, if you select PayPal, information about your order and the processing of your order may be transferred outside the European Economic Area.

PayPal: If you’re a citizen of the EU making payment from outside the US, PayPal may transfer information they process about your order outside the EU. Where they do so, they will ensure appropriate safeguards are in place. PayPal’s privacy policy lives here.

Selling of Personal Information
We will never sell your Personal Information.  To anyone. For any reason. Ever.

Commitment to Data Security
Your Personal Information is kept secure. Only authorized employees, agents, and contractors (who have agreed to keep information secure and confidential) have access to this information.

We (and our 3rd party service providers) use a variety of industry standard security measures to minimize risk of unauthorized access to, use or disclosure of your Personal Information. These security measures consist of but are not limited to data encryption and physical security. Keep in mind that no method of transmission or electronic storage is 100% secure 100% of the time. We make every effort by industry standards to protect your Personal Information, but we cannot guarantee its absolute security absolutely.

Changes to Your Personal Information
We’re happy to provide you with information about whether or not we hold any of your Personal Information. Upon verification, you may choose to exercise your right to request that we  securely delete your Personal Information from our servers and systems . Note that there may be specific circumstances in which we cannot delete your Personal Information. For example, when we delete your Personal Information, it will be erased from our production systems, however, some of it may still be archived in our backups in accordance with our retention policies.

If you would like to access your Personal Information and/or correct, amend, or delete the information where it is inaccurate, please contact us at privacy [at] wimzkl dot com

Data Retention

We will retain your Personal Information for the period necessary to fulfill the purpose outlined in this Privacy Policy unless a longer retention period is required for some reason, such as by applicable data privacy law.

In any other circumstances, we’ll retain your information for no longer than necessary, taking into account the following:

• the purpose(s) and use of your information both now and in the future (such as whether it’s necessary to store that information in order to continue to perform our obligations under a contract with you or to contact you in the future);
• whether we have any legal obligation to continue to process your information (such as any record-keeping obligations imposed by relevant law or regulation);
• whether we have any legal basis to continue to process your information (such as your consent);
• how valuable your information is (both now and in the future);
• any relevant agreed industry practices on how long information should be retained;
• the level of risk, cost, and liability involved with continuing to hold the information;
• how hard it is to ensure that the information can be kept up to date and accurate;
• any relevant surrounding circumstances (such as the nature and status of our relationship with you).

Accuracy
We take reasonable steps to ensure that your Personal Information is accurate, complete, current, and otherwise reliable for its intended use.

Enforcement
If we obtain knowledge that one of our service providers or partners is in violation of this Privacy Policy, we’ll take reasonable steps to prevent the unauthorized use or disclosure of your Personal Information. We take data privacy seriously and agree to take commercially reasonable measures to ensure the proper handling of your Personal Information by our larger community of partners and service providers.

Fin

You read all the way to the end? Are you a super-curious type, policy wonk, bored or stealing this to use on your own site?

If you’re stealing this, cool, but please give us a nod of credit, wontcha?  We work hard to make great stuff.

Thanks for reading.