Privacy Policy
This privacy policy describes how Brent Norris collects, uses, stores, shares, and protects your personal information when you interact with our website, services, and client engagements.
Overview & Scope
This Privacy Policy ("Policy") applies to all personal information collected by Brent Norris ("we," "us," "our," or "the Organization") through our website at brentnorris.com, client service engagements, communications, and any related digital properties. This policy covers all data processing activities whether performed directly or through authorized third-party service providers.
By using our website or engaging our services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the practices described herein, please discontinue use of our services.
This policy is designed to comply with applicable data protection regulations including the California Consumer Privacy Act (CCPA), the Health Insurance Portability and Accountability Act (HIPAA) where applicable, and general data protection best practices aligned with GDPR principles.
Data Controller
The data controller responsible for your personal information is:
For all privacy-related inquiries, requests, or complaints, contact the data controller using the information above. We will respond to verified requests within 30 days.
Information We Collect
3.1 Information You Provide Directly
- Contact information: name, email address, phone number, mailing address
- Business information: company name, website URL, project requirements, budget parameters
- Account credentials: email and authentication tokens for client portal access
- Communications: content of emails, contact form submissions, support requests, and feature requests
- Financial information: billing details provided through our payment processor (Stripe/Square)
- Feedback: article feedback, service reviews, and consultation notes
3.2 Information Collected Automatically
- Device information: browser type, operating system, screen resolution
- Usage data: pages visited, time on page, referral source, navigation paths
- Network information: IP address (stored as SHA-256 hash, never in plaintext), general geographic location
- Session data: session identifiers, timestamps, interaction patterns
3.3 Information from Third Parties
- Payment processors: transaction confirmations, payment status (we do not store full card numbers)
- Monitoring services: uptime data, SSL certificate status, and performance metrics for client websites
- Public sources: publicly available business information relevant to client engagements
How We Collect Information
We collect information through the following mechanisms:
- Contact forms: Lead intake forms, consultation requests, and support submissions on our website
- Client portal: Authenticated sessions in our admin dashboard for service management
- Email communications: Direct correspondence via email and automated transactional messages (invoices, confirmations, password resets)
- Cookies and similar technologies: Session cookies for authentication and functional site operation (see Section 11)
- API integrations: Webhooks and API calls from integrated services such as payment processors, uptime monitors, and client content management systems
- Security audit logs: Automated logging of authentication events, data access, and administrative actions for security monitoring
Legal Basis for Processing
We process personal information based on one or more of the following legal grounds:
| Legal Basis | Application |
|---|---|
| Contractual Necessity | Processing required to fulfill service agreements, deliver projects, and manage client accounts |
| Legitimate Interest | Security monitoring, fraud prevention, service improvement, and business analytics (with balancing test) |
| Consent | Marketing communications, optional feedback collection, and non-essential cookie usage |
| Legal Obligation | HIPAA compliance for covered entities, tax and financial record-keeping, law enforcement requests |
Use of Information
We use collected information for the following purposes:
6.1 Service Delivery
- Providing web development, managed hosting, AI consulting, and compliance services
- Managing client accounts, projects, invoicing, and support requests
- Communicating project updates, deliverables, and service notifications
6.2 Security & Operations
- Monitoring and protecting the security of our systems and client websites
- Detecting, preventing, and responding to security incidents, fraud, and abuse
- Maintaining audit logs for accountability and compliance verification
6.3 Improvement & Analytics
- Analyzing usage patterns to improve website functionality and user experience
- Evaluating service effectiveness through client health scoring and feedback analysis
- Developing new features and services based on aggregated, anonymized data
Data Sharing & Disclosure
We do not sell, rent, or trade your personal information. We may share information with the following categories of recipients under strict contractual controls:
| Recipient | Purpose | Safeguards |
|---|---|---|
| Infrastructure Providers | Cloud hosting, database services, CDN | SOC 2 certified, encryption at rest |
| Payment Processors | Invoice payments via Stripe/Square | PCI DSS Level 1 compliant |
| Email Service Providers | Transactional emails (invoices, confirmations) | DKIM/SPF/DMARC enforcement |
| Monitoring Services | Uptime monitoring, SSL checks, performance | Data minimization, API-only access |
| Legal/Regulatory | Court orders, subpoenas, regulatory inquiries | Minimum necessary disclosure |
All third-party service providers are subject to vendor security assessments and contractual obligations including data processing agreements, confidentiality clauses, and breach notification requirements.
Data Retention
We retain personal information only as long as necessary to fulfill the purposes described in this policy, comply with legal obligations, and resolve disputes.
| Data Category | Retention Period | Basis |
|---|---|---|
| Client account data | Duration of engagement + 3 years | Contractual, legal |
| Financial records | 7 years from transaction date | Tax/regulatory obligation |
| Security audit logs | 2 years | Security, compliance |
| Email logs | 1 year | Operational, deliverability |
| Contact form submissions | Duration of engagement or 1 year if no engagement | Legitimate interest |
| Session/analytics data | 90 days (anonymized thereafter) | Legitimate interest |
| HIPAA-covered data | 6 years from creation or last effective date | HIPAA §164.530(j) |
Upon expiration of the retention period, data is securely deleted using cryptographic erasure or secure overwrite methods. An audit trail is maintained for all data disposal actions.
Data Security Measures
We implement administrative, technical, and physical safeguards to protect personal information against unauthorized access, alteration, disclosure, or destruction. For complete details, refer to our Information Security Policy.
Key Controls
- Encryption in transit (TLS 1.2+) and at rest (AES-256-GCM) for all sensitive data
- Row-level security (RLS) policies at the database layer ensuring data isolation
- Multi-factor authentication (MFA) for all administrative access
- SHA-256 hashing of IP addresses; plaintext IPs are never stored
- Automated security monitoring with real-time incident alerting
- Regular vulnerability assessments and security patch management
- Credential encryption using AES-256-GCM with isolated vault services
Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal information:
- Right to Access: Request a copy of the personal information we hold about you
- Right to Rectification: Request correction of inaccurate or incomplete information
- Right to Deletion: Request deletion of your personal information, subject to legal retention requirements
- Right to Restrict Processing: Request limitation of how we process your information
- Right to Data Portability: Receive your data in a structured, machine-readable format
- Right to Object: Object to processing based on legitimate interest or direct marketing
- Right to Withdraw Consent: Withdraw previously given consent at any time without affecting prior lawful processing
- Right to Non-Discrimination: Exercise your privacy rights without receiving discriminatory treatment (CCPA)
To exercise any of these rights, contact us with the subject "Privacy Rights Request." We will verify your identity before processing the request and respond within 30 calendar days. Complex requests may require an additional 30-day extension with notice.
HIPAA & Protected Health Information
When providing services to HIPAA-covered entities or their business associates, we implement additional safeguards for Protected Health Information (PHI):
- Business Associate Agreements (BAAs): Executed with all covered entity clients before PHI access is granted
- Minimum Necessary Standard: PHI access limited to the minimum information required to perform contracted services
- Administrative Safeguards: Workforce training, sanction policies, and designated HIPAA Security Officer
- Technical Safeguards: Access controls, audit logging, integrity verification, and transmission security per 45 CFR §164.312
- Physical Safeguards: Facility access controls, workstation use policies, and device/media controls
- Breach Notification: HIPAA-compliant breach notification procedures within 60 days of discovery, including individual, HHS, and media notification as required by 45 CFR §§164.404-408
- Retention: HIPAA documentation retained for 6 years from creation date or last effective date per §164.530(j)
PHI is never used for marketing, analytics, or any purpose beyond the scope of the applicable Business Associate Agreement.
Children's Privacy
Our services are not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child under 16 without parental consent, we will take immediate steps to delete that information.
If you believe we have inadvertently collected information from a minor, pleasecontact us immediately.
International Data Transfers
Our primary operations and data processing are conducted within the United States. If you access our services from outside the United States, your information may be transferred to, stored, and processed in the United States where data protection laws may differ from those in your jurisdiction.
- All international transfers are protected by encryption in transit (TLS 1.2+)
- Third-party providers processing international data are contractually obligated to maintain adequate safeguards
- By using our services, you consent to the transfer of your information to the United States
Third-Party Links
Our website may contain links to third-party websites, services, or resources that are not operated by us. We are not responsible for the privacy practices or content of these external sites. We encourage you to review the privacy policies of any third-party services before providing personal information.
Policy Changes
We may update this Privacy Policy to reflect changes in our practices, technologies, legal requirements, or business operations. Changes will be posted on this page with an updated effective date.
- Material changes will be communicated via email to active clients and posted prominently on our website
- Non-material changes take effect immediately upon posting
- Continued use of our services after changes constitutes acceptance of the updated policy
- Previous versions of this policy are available upon request
Contact Information
For questions, concerns, or requests related to this Privacy Policy or our data practices, contact us through any of the following channels:
Subject Line
Use "Privacy Inquiry" for general questions or "Privacy Rights Request" for rights exercises
Response Time
We respond to all privacy inquiries within 30 calendar days of receipt
Document Control: Version 1.0 | Effective: February 15, 2026 | Last Updated: February 15, 2026 | Next Review: February 15, 2027
This Privacy Policy should be read in conjunction with our Information Security Policy.