PRIVACY POLICY

1. Introduction

[COMPANY NAME] (“Company,” “we,” “us,” or “our”) respects your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard Personal Data when individuals interact with our websites, mobile applications, and services (collectively, the “Services”).

[// GUIDANCE: Insert a prominent summary statement or layered notice for accessibility requirements.]

2. Scope

This Privacy Policy applies to Personal Data processed about consumers, job applicants, and business contacts located in the United States. If you reside in California, Colorado, Texas, Virginia, Connecticut, Utah, or another jurisdiction with enhanced rights, please review the applicable state-specific sections below.

3. Key Definitions

• Personal Data means information that identifies, relates to, describes, or is reasonably capable of being associated with an identified or identifiable individual.
• Sensitive Personal Data includes precise geolocation, biometric information, health data, citizenship status, children’s data, and other categories defined by applicable law.
• Sale, Share, Targeted Advertising, and Profiling have the meanings assigned under relevant state privacy statutes.

4. Categories of Personal Data Collected

We collect the following categories of Personal Data, depending on how you interact with the Services:
- Identifiers (e.g., name, email address, online identifiers)
- Commercial information (e.g., products purchased, account history)
- Internet or electronic network activity (e.g., browsing data, cookies)
- Geolocation data
- Inferences drawn from other Personal Data to create profiles
- [ADDITIONAL CATEGORIES]

We do not knowingly collect Personal Data of children under 13 without verifiable parental consent.

5. Sources of Personal Data

We obtain Personal Data from:
- Direct interactions (forms, support requests, account registration)
- Automated technologies (cookies, pixels, SDKs)
- Third-party partners (resellers, marketplace operators, data providers)
- Public sources (professional profiles, public records)

6. Purposes of Processing

We process Personal Data to:
- Provide, maintain, and improve the Services
- Process transactions and fulfill orders
- Personalize content and marketing communications
- Conduct analytics and measure performance
- Prevent fraud, security incidents, and abuse
- Comply with legal obligations and enforce agreements
- [OTHER PURPOSES]

7. Legal Bases (If Applicable)

If required by law, we rely on legitimate interests, consent, performance of a contract, or compliance with legal obligations as the legal bases for processing. For Colorado and Virginia consumers, we conduct data protection assessments for high-risk processing.

8. Disclosures of Personal Data

We disclose Personal Data to:
- Service providers processing on our behalf under written contracts
- Business partners involved in joint offerings
- Authorities and law enforcement where required by law
- Successors in connection with corporate transactions
- [OTHER RECIPIENTS]

We do not sell Personal Data for monetary consideration but may “share” data for targeted advertising as defined by certain state laws. See Section 12 for opt-out rights.

9. Retention

We retain Personal Data for as long as necessary to fulfill the purposes described in this Policy, comply with legal obligations, resolve disputes, and enforce agreements. We maintain a retention schedule and review data at least annually.

10. Security

We implement administrative, technical, and physical safeguards designed to protect Personal Data. However, no security measures are perfect; we cannot guarantee absolute security.

11. Consumer Rights Overview

Consumers in certain jurisdictions have the following rights (subject to exceptions):
- Right to know/access the Personal Data we maintain
- Right to correct inaccurate Personal Data
- Right to delete Personal Data
- Right to opt out of the sale or sharing of Personal Data and targeted advertising
- Right to opt out of profiling in furtherance of decisions producing legal or similarly significant effects
- Right to appeal decisions we make regarding consumer requests

Submit requests via [EMAIL/WEB PORTAL/PHONE]. We will verify your identity before fulfilling requests.

11A. Automated Decision-Making & Risk Assessments

Describe whether you engage in automated decision-making or profiling with legal or similarly significant effects. Reference your documented risk assessments and consumer opt-out mechanisms in accordance with the CPPA’s September 2025 final regulations and emerging state requirements.

12. State-Specific Notices

12.1 California (CPRA)

• Provide the “Notice at Collection” requirements, including categories, purposes, and retention.
• Explain the right to limit the use of Sensitive Personal Information.
• Describe how authorized agents may submit requests.
• Include a “Do Not Sell or Share My Personal Information” link and instructions.
• Offer a “Limit the Use of My Sensitive Personal Information” link when applicable.
• Summarize how automated decision-making disclosures, access, and opt-out rights are honored under the CPPA’s finalized ADMT regulations (Sept 2025) and document related risk assessments.

12.2 Colorado (CPA)

• Describe universal opt-out mechanism (Global Privacy Control) recognition.
• Provide instructions for authenticating Colorado consumer requests.
• Explain appeal process with response timeline of 45 days (extendable).
• Disclose profiling activities subject to opt-out.

12.3 Texas (TDPSA)

• Explain opt-out rights for targeted advertising and sale.
• Identify a method for consumers to revoke consent for processing Sensitive Personal Data.
• State the contact information for our privacy officer.
• Provide a conspicuous disclosure for electronic communications regarding targeted advertising.
• Confirm recognition of universal opt-out mechanisms (including Global Privacy Control) when technically feasible, consistent with Texas enforcement guidance.

12.4 Virginia, Connecticut, Utah (VCDPA, CTDPA, UCPA)

• Summarize rights to access, correct, delete, data portability, and opt out of targeted advertising.
• Provide contact information for appeals and AG complaint submission.
• Note any exemptions relied upon.

12.5 Additional States

Include modules for New Jersey, Florida, or emerging laws as they come into effect. Update this Policy at least annually.

13. Cookies & Tracking Technologies

We use cookies, pixels, scripts, and similar technologies to operate the Services, analyze traffic, and personalize content. See the Cookie Notice attached as Annex A for detailed information and opt-out mechanisms, including Global Privacy Control recognition.

14. International Data Transfers

If we transfer Personal Data outside the originating jurisdiction, we implement appropriate safeguards such as Standard Contractual Clauses or other lawful mechanisms.

15. Children’s Privacy

We do not knowingly collect information from children under the age of 13 (or other applicable age thresholds). If we learn that we collected such information, we will delete it promptly.

16. Changes to This Policy

We may update this Privacy Policy from time to time. We will post the updated version with a “Last Updated” date and notify you as required by law.

17. Contact Us

For questions or to exercise your rights, contact us at:
- Email: [PRIVACY EMAIL]
- Mailing Address: [ADDRESS]
- Toll-Free Number: [PHONE]
- Data Protection Officer/Privacy Officer: [NAME], [TITLE]

Annex A – Cookie Notice & Global Privacy Control Statement

Provide a table of cookies and tracking technologies, describing purpose, provider, retention, opt-out links, and GPC compliance details.

Annex B – Consumer Rights Request Intake Form

Include intake fields for identity verification, description of request, deadlines, and appeal options.

Annex C – Sensitive Data & Risk Assessment Summary

Document categories of Sensitive Personal Data collected, processing purposes, retention, and risk assessment references.

[// GUIDANCE: Host this Privacy Policy in a version-controlled environment and log substantive updates.]