01 Overview
BRANDED IAM ("Company," "we," "us," or "our") is a digital services company headquartered at 2010 Crow Canyon Pl Suite 100, San Ramon, CA 94583. We provide web design and hosting, managed IT support, cybersecurity services, and creative design and branding to small and medium-sized businesses throughout the United States.
This Privacy Policy describes how we collect, use, store, share, and protect information about you when you visit our website (brandediam.com), use our client portal, receive our services, communicate with us, or otherwise interact with BRANDED IAM.
By using our website or services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with any part of this policy, please do not use our website or services. This policy is incorporated by reference into our Terms of Service.
We are committed to protecting your personal information in accordance with applicable privacy laws, including the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), the General Data Protection Regulation (GDPR) for individuals in the European Economic Area (EEA) and United Kingdom, and other applicable state and federal privacy laws.
02 Information We Collect
We collect information in three primary ways: information you provide directly, information collected automatically, and information from third parties.
A. Information You Provide Directly
- Contact & Identity Information: Name, email address, phone number, business name, job title, and mailing address when you fill out our contact forms, request an audit, register for portal access, or otherwise communicate with us.
- Account Credentials: Username and password for your client portal account. We store passwords in a hashed, salted format and never in plaintext.
- Payment Information: Billing address and payment card details when you purchase our services. Card numbers are processed and stored by Stripe, Inc. (our PCI DSS Level 1 certified payment processor) — we never store your full card number on our servers.
- Business Information: Details about your business, technical environment, existing systems, IT infrastructure, design assets, website content, and preferences shared during our engagement.
- Communications: Messages, emails, support tickets, chat conversations, and any other content you send to us directly or through the client portal.
- Survey & Feedback Data: Responses to satisfaction surveys, review requests, or feedback forms we send to clients and site visitors.
B. Information Collected Automatically
When you visit our website, we automatically collect certain technical and usage data:
- Device & Technical Data: IP address, browser type and version, operating system, device type, screen resolution, and referring URL.
- Usage Data: Pages you visit, time spent on each page, links clicked, scroll depth, search queries on our site, and navigation path through the site.
- Cookie & Tracking Data: Data collected through cookies, web beacons, pixel tags, and similar technologies. See Section 05 (Cookies & Tracking) for full details.
- Log Files: Server logs that record requests, errors, and access events. Retained for security monitoring and debugging.
- Performance Data: Page load times, server response times, and client portal performance metrics used to improve our platforms.
C. Information From Third Parties
- Business Intelligence Tools: We may receive publicly available business information from data enrichment providers to better understand prospective clients.
- Referral Partners: If you were referred to us by a partner, we may receive your contact information and context from the referring party.
- Social Media Platforms: If you interact with our social profiles or share content from our site, we may receive aggregated insights from those platforms.
03 How We Use Your Information
We use the information we collect for specific, limited purposes:
Service Delivery
To build websites, provide IT support, deliver design work, manage your hosting and domain, and fulfill all contracted services.
Account Management
To create and manage your client portal account, authenticate you, and maintain your service subscriptions.
Payment Processing
To issue invoices, process payments, manage subscriptions, and send billing notifications.
Customer Support
To respond to support tickets, answer questions, troubleshoot issues, and communicate about your projects.
Service Improvement
To analyze usage patterns, fix bugs, improve our website and portal, and develop new features and offerings.
Security & Fraud Prevention
To detect, investigate, and prevent fraudulent activity, unauthorized access, and other security threats.
Legal Compliance
To comply with applicable laws, respond to legal process, enforce our agreements, and protect our legal rights.
Marketing Communications
To send newsletters, service updates, and promotional content to subscribers. You may opt out at any time.
We do not use automated decision-making or profiling that produces legal or similarly significant effects on individuals. We do not sell your personal information to third parties for their own marketing purposes.
04 Legal Basis for Processing (GDPR)
For individuals located in the EEA, UK, or Switzerland, we process your personal data under the following legal bases as defined in the GDPR:
Contractual Necessity
Processing is necessary to perform a contract with you or to take steps at your request prior to entering into a contract — for example, delivering your website, managing your IT plan, or processing your payment.
Legitimate Interests
We process certain data based on our legitimate interests in operating and improving our business, preventing fraud, and maintaining security, provided those interests are not overridden by your rights and interests.
Legal Obligation
Processing is necessary for us to comply with applicable laws, such as tax, accounting, and anti-money laundering obligations.
Consent
Where we rely on consent — such as for marketing emails or non-essential cookies — you may withdraw that consent at any time without affecting the lawfulness of prior processing.
07 Data Retention
We retain your personal information only as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce our agreements. The following general retention schedules apply:
| Data Type | Retention Period |
|---|---|
| Active client account data | Duration of the service relationship + 3 years |
| Payment and billing records | 7 years (tax and accounting requirements) |
| Support ticket history | 3 years from ticket closure |
| Marketing communications | Until you unsubscribe + 1 year |
| Website analytics data | 26 months (Google Analytics default) |
| Security and access logs | 12 months |
| Deleted account data | Purged within 90 days of deletion request |
| Legal hold data | Until legal matter is resolved |
08 Data Security
We implement a comprehensive set of technical, organizational, and administrative security measures designed to protect your personal information against unauthorized access, disclosure, alteration, or destruction. These measures include:
- TLS/SSL encryption for all data in transit between your browser and our servers
- AES-256 encryption for sensitive data stored at rest
- Hashed and salted password storage (bcrypt algorithm)
- Multi-factor authentication (MFA) for all administrative access to production systems
- Regular third-party penetration testing and vulnerability assessments
- Role-based access controls limiting employee access to only the data necessary for their function
- Comprehensive security incident response plan and documented breach notification procedures
- Employee security training and background screening for staff handling client data
- Intrusion detection and 24/7 system monitoring for Managed plan clients
Despite our best efforts, no method of electronic transmission or storage is 100% secure. In the event of a data breach that affects your rights and freedoms, we will notify affected individuals and applicable regulatory authorities within the timeframes required by law (generally 72 hours for GDPR, and as required by applicable state laws).
09 International Data Transfers
BRANDED IAM is headquartered in the United States. If you are located outside the United States, please be aware that your information will be transferred to, stored, and processed in the United States and potentially other countries where our service providers operate. These countries may have privacy laws that differ from those in your jurisdiction.
For transfers from the EEA, UK, or Switzerland to the United States, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, and where applicable, the UK International Data Transfer Agreement (IDTA). We ensure that appropriate safeguards are in place before transferring your personal data internationally.
10 Your Privacy Rights
Depending on your location, you may have the following rights regarding your personal data:
Right of Access
Request a copy of the personal information we hold about you.
Right to Rectification
Request correction of inaccurate or incomplete personal data.
Right to Erasure
Request deletion of your personal data, subject to certain legal exceptions.
Right to Restriction
Request that we restrict processing of your data in certain circumstances.
Right to Portability
Receive a machine-readable copy of your data to transfer to another provider.
Right to Object
Object to processing based on legitimate interests or for direct marketing purposes.
Withdraw Consent
Withdraw consent at any time where processing is based on your consent.
Lodge a Complaint
File a complaint with your local data protection authority (e.g., the California AG or your EU supervisory authority).
How to Exercise Your Rights
To exercise any of the rights listed above, submit a written request to [email protected] or via postal mail to our address below. We will respond within 30 days (or 45 days with an extension notice). We may need to verify your identity before fulfilling your request. We will not discriminate against you for exercising your privacy rights.
11 California Residents — CCPA/CPRA Rights
If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants you specific rights regarding your personal information.
We do not sell your personal information. We do not share your personal information with third parties for cross-context behavioral advertising without your consent.
Under CCPA/CPRA, California residents have the right to: (1) know what personal information is collected, used, shared, or sold; (2) delete personal information collected from them (with exceptions); (3) opt out of the sale or sharing of personal information; (4) non-discrimination for exercising CCPA rights; (5) correct inaccurate personal information; and (6) limit use and disclosure of sensitive personal information.
To submit a verifiable consumer request, contact us at [email protected]. You may also designate an authorized agent to make requests on your behalf. California residents may also contact the California Attorney General's office for more information about their rights.
12 Children's Privacy
Our website and services are directed to business owners and professionals, not to children under the age of 13 (or 16 in applicable jurisdictions). We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child, please contact us immediately at [email protected] and we will promptly delete such information from our systems.
13 Third-Party Links and Services
Our website may contain links to third-party websites, integrations, or services that are not operated by BRANDED IAM. These include our technology partner websites (Cloudflare, Shopify, Stripe, etc.) and social media platforms. When you click on these links, you leave our website and are subject to the privacy policies of those third parties. We have no control over and assume no responsibility for the content, privacy policies, or practices of third-party sites. We encourage you to review the privacy policy of every site you visit.
14 Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:
- Update the "Last Updated" date at the top of this page
- Post a prominent notice on our website homepage
- Send email notification to registered client portal users for material changes
- In some cases, request your renewed consent
Your continued use of our website or services after any policy update constitutes your acceptance of the revised policy. We encourage you to review this page periodically.
15 Contact Us
If you have questions, concerns, or requests related to this Privacy Policy or your personal data, please contact our Privacy team:
BRANDED IAM — Privacy Team
Response Commitment
General inquiries: within 5 business days
Data subject requests: within 30 days
Breach notifications: within 72 hours
We are committed to resolving privacy concerns promptly and transparently.