Privacy Policy - Grafted Strategies

1. Introduction

Grafted Strategies, LLC, a Virginia-based company located at 17 Loudoun St. SE, Leesburg, VA 20175, provides implementation and consulting services as a partner of Salesforce and Microsoft. This Privacy Policy explains how we collect, use, process, and protect personal data in connection with these services, including data cleaning, standardization, and migration. We are committed to complying with the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), Virginia Consumer Data Protection Act (VCDPA), Health Insurance Portability and Accountability Act (HIPAA) where applicable, and Payment Card Industry Data Security Standards (PCI DSS) where applicable.

2. Data We Collect

We collect and process the following personal data:

– **Client Data**: Personally identifiable information (e.g., names, email addresses, phone numbers), provided by clients for implementation, consulting, data cleaning, standardization, or migration.
– **Marketing Data**: Personally identifiable information (e.g., names, email addresses) collected directly for marketing purposes within the US.
– **Technical Data**: IP addresses, device information, and analytics data collected via platforms (e.g., Salesforce, Microsoft Azure, OneDrive, SharePoint).

Data is collected from clients, their systems, or automated means (e.g., analytics tools).

3. Purpose of Data Processing

We process personal data to:

– Provide implementation and consulting services, including data cleaning, standardization, and migration.
– Manage client relationships and ongoing engagements (e.g., retainer or support agreements).
– Conduct marketing activities within the US (as a data controller).
– Improve services and ensure security.
– Comply with GDPR, CCPA, VCDPA, HIPAA, and PCI DSS where applicable.

4. Legal Basis for Processing

– **Client Data (Processor Role)**: Processed under contract to fulfill client instructions.
– **Marketing Data (Controller Role)**: Processed based on consent or legitimate interests for US-based marketing.
– **Legal Obligation**: To comply with applicable laws (e.g., GDPR, HIPAA).
– **Legitimate Interests**: To enhance security or improve services.

5. Data Sharing

– **Client Data**: Shared only with sub-processors (e.g., Salesforce, Microsoft Azure, OneDrive, SharePoint, Zoom, Slack, Asana) necessary for services, under their standard data processing agreements. We do not sell or share client data for marketing.
– **Marketing Data**: Never sold or shared with third parties.
– **Legal Authorities**: Disclosed only when required by law or to protect our rights.

6. Data Storage and Retention

– **Storage**: All data is stored in the US using encrypted services (e.g., Microsoft Azure, OneDrive, SharePoint, Salesforce) with multi-factor authentication, role-based access, access logs, and sharing/deletion controls.
– **Retention**: Client data is deleted within 30 days post-project completion or termination, with written notification to clients, unless required for ongoing engagements (e.g., retainer or support agreements). Marketing data is retained until consent is withdrawn or no longer needed.

7. Data Subject Rights

Under GDPR, CCPA, VCDPA, and other laws, you have rights to:

– Access, correct, or delete your personal data.
– Restrict or object to processing.
– Request data portability.
– Opt out of data sales (CCPA). Note: We do not sell data.

8. Security Measures

We implement robust measures, including:

– Encryption of data in transit and at rest via Salesforce, Microsoft Azure, OneDrive, SharePoint.
– Multi-factor authentication, role-based access, access logs, and sharing/deletion controls.
– Regular security audits to ensure compliance.

9. International Data Transfers

For EU or UK data subjects, we use Standard Contractual Clauses (SCCs) to comply with GDPR for cross-border transfers. All data is stored and processed in the US.

10. HIPAA Compliance

When handling Protected Health Information (PHI), we enter into a Business Associate Agreement (BAA) with clients to ensure HIPAA compliance, incorporated into our Consulting & Services Agreement where applicable.

11. Marketing

We conduct marketing only in the US and do not share or sell contact data. Opt out by contacting us via the form below.

12. Contact Us

For questions or concerns, contact:
Grafted Strategies, LLC
Attn: Data Privacy Dept.
17 Loudoun St. SE,
Leesburg, VA 20175

or at the form below.

13. Changes to This Policy

We may update this policy to reflect changes in practices or laws. Significant changes will be notified via email or our website (graftedstrategies.com).