Version 1.0, Effective February 15, 2026

    Privacy Policy

    This privacy policy describes how Brent Norris collects, uses, stores, shares, and protects your personal information when you interact with our website, services, and client engagements.

    Section 1

    Overview & Scope

    This Privacy Policy ("Policy") applies to all personal information collected by Brent Norris ("we," "us," "our," or "the Organization") through our website at brentnorris.com, client service engagements, communications, and any related digital properties. This policy covers all data processing activities whether performed directly or through authorized third-party service providers.

    By using our website or engaging our services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the practices described herein, please discontinue use of our services.

    This policy is designed to comply with applicable data protection regulations including the California Consumer Privacy Act (CCPA), the Health Insurance Portability and Accountability Act (HIPAA) where applicable, and general data protection best practices aligned with GDPR principles.

    Section 2

    Data Controller

    The data controller responsible for your personal information is:

    Brent Norris

    Digital Business Systems and Design Architect

    Contact Brent

    Website: brentnorris.com

    For all privacy-related inquiries, requests, or complaints, contact the data controller using the information above. We will respond to verified requests within 30 days.

    Section 3

    Information We Collect

    3.1 Information You Provide Directly

    • Contact information: name, email address, phone number, mailing address
    • Business information: company name, website URL, project requirements, budget parameters
    • Account credentials: email and authentication tokens for client portal access
    • Communications: content of emails, contact form submissions, support requests, and feature requests
    • Financial information: billing details provided through our payment processor (Stripe/Square)
    • Feedback: article feedback, service reviews, and consultation notes

    3.2 Information Collected Automatically

    • Device information: browser type, operating system, screen resolution
    • Usage data: pages visited, time on page, referral source, navigation paths
    • Network information: IP address (stored as SHA-256 hash, never in plaintext), general geographic location
    • Session data: session identifiers, timestamps, interaction patterns

    3.3 Information from Third Parties

    • Payment processors: transaction confirmations, payment status (we do not store full card numbers)
    • Monitoring services: uptime data, SSL certificate status, and performance metrics for client websites
    • Public sources: publicly available business information relevant to client engagements
    Section 4

    How We Collect Information

    We collect information through the following mechanisms:

    • Contact forms: Lead intake forms, consultation requests, and support submissions on our website
    • Client portal: Authenticated sessions in our admin dashboard for service management
    • Email communications: Direct correspondence via email and automated transactional messages (invoices, confirmations, password resets)
    • Cookies and similar technologies: Session cookies for authentication and functional site operation (see Section 11)
    • API integrations: Webhooks and API calls from integrated services such as payment processors, uptime monitors, and client content management systems
    • Security audit logs: Automated logging of authentication events, data access, and administrative actions for security monitoring
    Section 6

    Use of Information

    We use collected information for the following purposes:

    6.1 Service Delivery

    • Providing web development, managed hosting, AI consulting, and compliance services
    • Managing client accounts, projects, invoicing, and support requests
    • Communicating project updates, deliverables, and service notifications

    6.2 Security & Operations

    • Monitoring and protecting the security of our systems and client websites
    • Detecting, preventing, and responding to security incidents, fraud, and abuse
    • Maintaining audit logs for accountability and compliance verification

    6.3 Improvement & Analytics

    • Analyzing usage patterns to improve website functionality and user experience
    • Evaluating service effectiveness through client health scoring and feedback analysis
    • Developing new features and services based on aggregated, anonymized data
    Section 7

    Data Sharing & Disclosure

    We do not sell, rent, or trade your personal information. We may share information with the following categories of recipients under strict contractual controls:

    RecipientPurposeSafeguards
    Infrastructure ProvidersCloud hosting, database services, CDNSOC 2 certified, encryption at rest
    Payment ProcessorsInvoice payments via Stripe/SquarePCI DSS Level 1 compliant
    Email Service ProvidersTransactional emails (invoices, confirmations)DKIM/SPF/DMARC enforcement
    Monitoring ServicesUptime monitoring, SSL checks, performanceData minimization, API-only access
    Legal/RegulatoryCourt orders, subpoenas, regulatory inquiriesMinimum necessary disclosure

    All third-party service providers are subject to vendor security assessments and contractual obligations including data processing agreements, confidentiality clauses, and breach notification requirements.

    Section 8

    Data Retention

    We retain personal information only as long as necessary to fulfill the purposes described in this policy, comply with legal obligations, and resolve disputes.

    Data CategoryRetention PeriodBasis
    Client account dataDuration of engagement + 3 yearsContractual, legal
    Financial records7 years from transaction dateTax/regulatory obligation
    Security audit logs2 yearsSecurity, compliance
    Email logs1 yearOperational, deliverability
    Contact form submissionsDuration of engagement or 1 year if no engagementLegitimate interest
    Session/analytics data90 days (anonymized thereafter)Legitimate interest
    HIPAA-covered data6 years from creation or last effective dateHIPAA §164.530(j)

    Upon expiration of the retention period, data is securely deleted using cryptographic erasure or secure overwrite methods. An audit trail is maintained for all data disposal actions.

    Section 9

    Data Security Measures

    We implement administrative, technical, and physical safeguards to protect personal information against unauthorized access, alteration, disclosure, or destruction. For complete details, refer to our Information Security Policy.

    Key Controls

    • Encryption in transit (TLS 1.2+) and at rest (AES-256-GCM) for all sensitive data
    • Row-level security (RLS) policies at the database layer ensuring data isolation
    • Multi-factor authentication (MFA) for all administrative access
    • SHA-256 hashing of IP addresses; plaintext IPs are never stored
    • Automated security monitoring with real-time incident alerting
    • Regular vulnerability assessments and security patch management
    • Credential encryption using AES-256-GCM with isolated vault services
    Section 10

    Your Rights

    Depending on your jurisdiction, you may have the following rights regarding your personal information:

    • Right to Access: Request a copy of the personal information we hold about you
    • Right to Rectification: Request correction of inaccurate or incomplete information
    • Right to Deletion: Request deletion of your personal information, subject to legal retention requirements
    • Right to Restrict Processing: Request limitation of how we process your information
    • Right to Data Portability: Receive your data in a structured, machine-readable format
    • Right to Object: Object to processing based on legitimate interest or direct marketing
    • Right to Withdraw Consent: Withdraw previously given consent at any time without affecting prior lawful processing
    • Right to Non-Discrimination: Exercise your privacy rights without receiving discriminatory treatment (CCPA)

    To exercise any of these rights, contact us with the subject "Privacy Rights Request." We will verify your identity before processing the request and respond within 30 calendar days. Complex requests may require an additional 30-day extension with notice.

    Section 11

    Cookies & Tracking Technologies

    Our website uses cookies and similar technologies for the following purposes:

    TypePurposeDuration
    EssentialAuthentication, session management, security tokensSession / 7 days
    FunctionalUser preferences, theme selection, form state30 days
    AnalyticsAggregated usage statistics, page performance90 days

    We do not use third-party advertising cookies or cross-site tracking technologies. Essential cookies cannot be disabled as they are required for site functionality. You may manage cookie preferences through your browser settings.

    Section 12

    HIPAA & Protected Health Information

    When providing services to HIPAA-covered entities or their business associates, we implement additional safeguards for Protected Health Information (PHI):

    • Business Associate Agreements (BAAs): Executed with all covered entity clients before PHI access is granted
    • Minimum Necessary Standard: PHI access limited to the minimum information required to perform contracted services
    • Administrative Safeguards: Workforce training, sanction policies, and designated HIPAA Security Officer
    • Technical Safeguards: Access controls, audit logging, integrity verification, and transmission security per 45 CFR §164.312
    • Physical Safeguards: Facility access controls, workstation use policies, and device/media controls
    • Breach Notification: HIPAA-compliant breach notification procedures within 60 days of discovery, including individual, HHS, and media notification as required by 45 CFR §§164.404-408
    • Retention: HIPAA documentation retained for 6 years from creation date or last effective date per §164.530(j)

    PHI is never used for marketing, analytics, or any purpose beyond the scope of the applicable Business Associate Agreement.

    Section 13

    Children's Privacy

    Our services are not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child under 16 without parental consent, we will take immediate steps to delete that information.

    If you believe we have inadvertently collected information from a minor, pleasecontact us immediately.

    Section 14

    International Data Transfers

    Our primary operations and data processing are conducted within the United States. If you access our services from outside the United States, your information may be transferred to, stored, and processed in the United States where data protection laws may differ from those in your jurisdiction.

    • All international transfers are protected by encryption in transit (TLS 1.2+)
    • Third-party providers processing international data are contractually obligated to maintain adequate safeguards
    • By using our services, you consent to the transfer of your information to the United States
    Section 16

    Policy Changes

    We may update this Privacy Policy to reflect changes in our practices, technologies, legal requirements, or business operations. Changes will be posted on this page with an updated effective date.

    • Material changes will be communicated via email to active clients and posted prominently on our website
    • Non-material changes take effect immediately upon posting
    • Continued use of our services after changes constitutes acceptance of the updated policy
    • Previous versions of this policy are available upon request
    Section 17

    Contact Information

    For questions, concerns, or requests related to this Privacy Policy or our data practices, contact us through any of the following channels:

    Subject Line

    Use "Privacy Inquiry" for general questions or "Privacy Rights Request" for rights exercises

    Response Time

    We respond to all privacy inquiries within 30 calendar days of receipt

    Document Control: Version 1.0 | Effective: February 15, 2026 | Last Updated: February 15, 2026 | Next Review: February 15, 2027

    This Privacy Policy should be read in conjunction with our Information Security Policy.