Purpose

 

Cybersoft, Inc. (Cybersoft) adopts this privacy policy (“Privacy Policy”) to provide consumers with a description of Cybersoft’s practices regarding the collection, processing, and retention of consumer personal information; to inform consumers of the rights they have regarding their personal information; and, to notify consumers of how to exercise those rights under the California Consumer Privacy Act of 2018 (CCPA) and CCPA Regulations. 
 

Coverage

 

This Privacy Policy covers every consumer that is a natural person who is a California resident and the personal information of the consumer that Cybersoft has been processing. 

 
Additionally, in instances where the consumer is a natural person who is not a California resident, this Privacy Policy covers the consumer’s personal information that is collected when all of the following three conditions concur: 

• if that information is collected while the consumer was outside of California 

• if no part of the sale of the consumer’s personal information occurred in California 

• if no personal information collected while the consumer was in California is sold. 

 
Online Posting and Effectivity

 

This Privacy Policy is posted online which can be accessed and downloaded at https://www.cybersoftbpo.com/privacy-policy-2022 and by clicking the “Privacy Policy” tab on Cybersoft's Website Homepage at https://www.cybersoftbpo.com for easy accessibility to consumers. 

 
This Privacy Policy is updated at least once every 12 months and any changes take effect upon the date of posting of the revised Privacy Policy. 

 
Service Provider

 

Cybersoft is a service provider under the CCPA that performs data processing on behalf of businesses engaged in business data and analytics services, pursuant to written contracts with such businesses. Cybersoft processes data source documents pre-designated by such businesses that are obtained from various data suppliers selected and engaged by such businesses. Under its contracts with such businesses, Cybersoft is prohibited from selling, or using and retaining consumer personal information in process for any purpose other than for the specific purpose of processing specified in the contracts. 

  

Practices Regarding Collection, Processing, and Retention of Consumer Personal Information
 

As a service provider in accordance with the written contract entered into between Cybersoft and a business, Cybersoft first acquires pre-designated data source documents concomitantly containing consumer personal information on behalf of a business from various data suppliers selected and engaged by the business. Cybersoft then captures data elements specified and defined by the business which it then converts to a secure encrypted format indicated by the business for delivery solely to the business through the electronic transmission mechanism chosen by the business, including but not limited to, processing platforms provided by business that use unique usernames and passwords. Cybersoft repeats the above-described practices to update data elements and retains the data for as long as is required by a business. Cybersoft does not sell or otherwise share the business’s data or the consumer personal information contained in the business’s data. 

 
Categories of Personal Information

 

Pursuant to its written contract with a business, Cybersoft collects information on businesses and business professionals constituting the following categories of personal information:  

• Identifiers: Examples of this information on business professionals include contact information such as real name, job title, address, phone number, fax number, e-mail address, domain names, or other similar identifiers. 

• Commercial Information: Examples of this information on businesses include company profiles and statistics, including number of employees; assets, net worth; and business relationships. 

• Geolocation Data: Examples of this information on businesses include territories, locations and geographical operation histories of companies, subsidiaries, affiliates, and lines of business. 

• Professional Information: Examples of this information on business professionals include background profiles and information regarding company management, such as beneficial ownership/persons of significant control, and the educational and career histories of company principals. 

​ 

Personal information does not include the following: 

• Publicly available information from government records 

• De-identified or aggregated consumer information 

• Information excluded from the CCPA’s scope, such as: 

• Health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data; 

• Personal information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FCRA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver’s Privacy Protection Act of 1994. 

  

Categories of Sources of Personal Information

 

Cybersoft does not directly source consumers for personal information. 
Pursuant to its written contract with a business, Cybersoft acquires, on behalf of the business, data source documents containing consumer personal information from various data suppliers selected and engaged by the business constituting the following categories of sources from which personal information is collected:  

• Data vendors 

• Governmental and administrative public records such as business registrations and company filings 

• Court and bankruptcy filings 

• Public sector information and company registrars 

• Regulatory bodies and law enforcement agencies 

  

Incidental Collection of Personal Information While Data Processing

 

Cybersoft does not sell or share collected personal information. 

 

As a service provider pursuant to its written contract with a business, Cybersoft, on behalf of the business, acquires certain pre-designated data source documents concomitantly containing consumer personal information from various data suppliers selected and engaged by the business which Cybersoft processes to produce commercial data for the business vis-à-vis business organizations and business professionals that are supplied to and among other business organizations and business professionals. The purpose of this processing is to generate accurate current useful critical data made available to business organizations and business professionals in order to enable them to informedly manage their financial risks, protect against fraud, know who they are doing business with, efficiently meet compliance and regulatory obligations, and better understand organizations, industries and markets.  

  

No Sale and No Disclosure of Personal Information

 

As a service provider, in accordance with the written contracts entered into between Cybersoft and businesses, Cybersoft processes data containing consumer personal information on behalf of the businesses that are delivered solely to the businesses through the electronic transmission mechanism chosen by the businesses, including but not limited to, processing platforms provided by businesses that use unique usernames and passwords. Cybersoft is prohibited from selling, or using and retaining consumer personal information for any purpose other than for the specific purpose of processing data specified in the contracts. 

• In the preceding 12 months, Cybersoft did not sell nor disclose for a business purpose personal information to third parties 

• Cybersoft does not sell the personal information of consumers actually known to be less than 16 years of age 

  

Rights to Request to Disclose to Consumer, Correct, or Delete Personal Information in Process

​

A consumer has the right to the disclosure to consumer, correction, or deletion of consumer’s personal information in process. 

 
As a service provider pursuant to written contracts with businesses, Cybersoft processes consumer personal information for such businesses. If a consumer has reason to believe that its personal information is in process by Cybersoft, the consumer has the consumer’s right to request a confirmation of whether its personal information is in process by Cybersoft for such businesses, as wells as the rights to have that the personal information in process disclosed to the consumer, and if so desired, corrected or deleted. 

 
Verifiable Consumer Request

​

To exercise its consumer rights, a consumer may submit to Cybersoft a request to disclose to consumer, correct, or delete consumer’s personal information in process by completing the Consumer’s Personal Information Request Form provided for consumer’s convenience on the Cybersoft’s Website at https://www.cybersoftbpo.com/consumer-personal-information or by emailing to consumerprivacy@cybersoftbpo.com a request containing the minimum information set forth in the aforementioned request form. If the consumer has an account with the business, the business may require the consumer to use that account to submit a Verifiable Consumer Request. A consumer can only make a Verifiable Consumer Request twice within a 12-month period. A consumer may be represented by an authorized agent in submitting a request to disclose to consumer, correct, or delete personal information in process. To protect consumer privacy and maintain data security, a completed and notarized Consumer’s Authorization of Authorized Agent Form downloadable from https://www.cybersoftbpo.com/privacy-policy-2022/#forms is required to be submitted along with a Consumer’s Personal Information Request Form and completed Declaration of Consumer’s Identity Form available at https://www.cybersoftbpo.com/declaration-of-consumer-identity and Declaration of Authorized Agent’s Identity Form available at https://www.cybersoftbpo.com/authorized-agent-identity. 
  

A Verifiable Consumer Request to disclose to consumer, correct, or delete personal information in process shall not extend to personal information about the consumer that belongs to, or the business maintains on behalf of, another natural person. 
  

If requests from a consumer are manifestly unfounded or excessive, in particular because of their repetitive character, a business may charge a reasonable fee, taking into account the administrative costs of providing the information or communication, or taking the action requested. Or, the business may refuse to act on the request and notify the consumer of the reason for refusing the request. In either case, the business shall bear the burden of demonstrating that a consumer request is manifestly unfounded or excessive. 
  

Verification of Consumer Identity

​

To protect consumer privacy and maintain data security, the consumer identity of the requestor shall be verified by requiring that a completed Declaration of Consumer’s Identity Form be submitted along with a Consumer’s Personal Information Request Form. A downloadable Declaration of Consumer’s Identity Form is available at https://www.cybersoftbpo.com/privacy-policy-2022/#forms. In case the consumer is represented by an authorized agent, a completed Declaration of Authorized Agent’s Identity Form is available at https://www.cybersoftbpo.com/authorized-agent-identity and shall be required to be submitted by the authorized agent. 
  

The business may require authentication of the consumer that is reasonable in light of the nature of the personal information requested, but shall not require the consumer to create an account with the business in order to make a Verifiable Consumer Request. To verify the consumer's identity, the business shall, whenever feasible, match the identifying information provided by the requestor to the personal information of the consumer already maintained by the business. 

• A request to disclose to consumer categories of personal information shall require verification to a reasonable degree of certainty which may include matching at least two data points provided by the requestor with data points maintained by the business. 

• A request to disclose to consumer what would consist of specific pieces of personal information shall require verification to a reasonably high degree of certainty which may include matching at least three pieces of personal information provided by the requestor with personal information maintained by the business together with a signed declaration under penalty of perjury that the requestor is the consumer whose personal information is the subject of the request. The business maintains all signed declarations as part of its record-keeping. 

• A request to delete shall require verification to a reasonable or reasonably high degree of certainty depending on the sensitivity of the personal information and the risk of harm to the consumer posed by unauthorized deletion. The business shall act in good faith when determining the appropriate standard to apply. 

• A request to correct inaccurate personal information shall require verification to a reasonable or reasonably high degree of certainty depending on the sensitivity of the personal information and the risk of harm to the consumer posed by unauthorized deletion. The business shall act in good faith when determining the appropriate standard to apply. 

• If the business suspects fraudulent or malicious activity on or from a password-protected account, the business shall not comply with a consumer's request to disclose to consumer, request to delete or request to correct inaccurate personal information until further verification procedures determine that the consumer request is authentic and the consumer making the request is the person about whom the business has collected information. 

• The business may rely on representations made in a request to establish a consumer’s rights with respect to personal information and is under no legal requirement to seek out other persons that may have or claim to have any right to the personal information. The business is under no legal obligation to take any action in the event of a dispute between or among persons claiming rights to personal information in the business's possession. 

  

Denial of Request

 

A request shall be denied if the identity of requestor as consumer cannot be established. The business shall issue the denial of request in writing to be delivered to the requestor by mail or electronically in the mode the request was received. 

 
Consumer’s Right to Disclosure of Personal Information in Process to Consumer

 

A consumer has the right to the disclosure of consumer’s personal information in process to consumer. 

 
In all proper cases where the business has verified a consumer’s request to disclose to consumer personal information and the consumer’s right thereto, the business shall identify by category or categories the personal information collected about the consumer for the applicable period of time by reference to the enumerated category or categories that most closely describes the personal information collected; the categories of sources from which the consumer’s personal information was collected; the business or commercial purpose for collecting, selling, or sharing the consumer’s personal information; and the categories of third parties to whom the business discloses the consumer’s personal information; and, provide the specific pieces of personal information obtained from the consumer in a format that is easily understandable to the average consumer, and to the extent technically feasible, in a structured, commonly used, machine-readable format that may also be transmitted to another entity at the consumer’s request without hindrance. “Specific pieces of information” do not include data generated to help ensure security and integrity or as prescribed by regulation. 

  

The disclosure to consumer shall cover the 12-month period preceding the business’s receipt of the Verifiable Consumer Request to Disclose to Consumer and shall be made in writing and delivered through the consumer’s account with the business if the consumer maintains an account with the business, or by mail or electronically at the consumer’s option if the consumer does not maintain an account with the business, in a readily useable format that allows the consumer to transmit the disclosed information from one entity to another entity without hindrance. A consumer may request that the business disclose to consumer the requested personal information in process beyond the 12-month period, and the business shall be required to provide that information unless doing so proves impossible or would involve a disproportionate effort. A consumer’s right to request required information beyond the 12-month period, and a business’s obligation to provide that information, shall only apply to personal information collected on or after January 1, 2022. 
  

The business shall disclose to consumer and deliver the requested personal information in process to a consumer free of charge within 45 days of receipt of consumer’s request notwithstanding and inclusive of the time it may have taken to verify the consumer request. A time period for the business to respond to a consumer’s Verifiable Consumer Request to Disclose to Consumer may be extended once by up to a total of 90 days where necessary, taking into account the complexity and number of the requests. The business shall inform the consumer of any such extension within 45 days of receipt of the request, together with the reasons for the delay. 

 
If the business does not take action on the request of the consumer, the business shall inform the consumer, without delay, of the reasons for not taking action and any rights the consumer may have to appeal the decision to the business. 

 
Cybersoft, as a service provider under the CCPA, shall not be required to comply with a Verifiable Consumer Request to Disclose to Consumer that is submitted by a consumer or a consumer’s authorized agent directly to Cybersoft to the extent that Cybersoft has collected personal information about the consumer in its role as a service provider. Instead, Cybersoft shall forward all Verifiable Consumer Requests to Disclose to Consumer that are received by it to the business with which it has a contractual relationship no later than 3 days from receipt. Should the business decide to accommodate a consumer’s request to provide the personal information sought by a consumer, Cybersoft, when so notified by the business, shall assist the business by providing to the business the consumer’s personal information in its possession obtained in connection with performing its contract with the business. 

 
Consumer’s Right to Delete Personal Information 

 

A consumer has the right to the deletion of consumer’s personal information in process. 

 
Under the CCPA, Cybersoft as a service provider shall not be required to comply with a Verifiable Consumer Request to Delete that is submitted directly by a consumer or a consumer’s authorized agent to Cybersoft to the extent that Cybersoft has collected, used, processed, or retained the consumer’s personal information in its role as a service provider. Instead, Cybersoft shall forward all Verifiable Consumer Requests to Delete that are received by it to the business with which it has a contractual relationship no later than 3 days from receipt. Should the business decide to accommodate a consumer’s request to delete the personal information sought by a consumer to be deleted, Cybersoft, when so notified by the business, shall delete, or enable the business to delete personal information about the consumer that has been collected, used, processed, or retained by Cybersoft in connection with performing its contract with the business. 

 
In all proper cases where the business has verified a consumer’s request to delete personal information and the consumer’s right thereto, the business shall delete the consumer’s personal information from its records and notify Cybersoft, as service provider, to delete the consumer’s personal information from its records by any of the following: 

a. Permanently and completely erasing the personal information on its existing systems with the exception of archived or back-up systems 

b. De-identifying the personal information 

c. Aggregating the consumer information 

  

In responding to a request to delete, a business may present the consumer with the choice to delete select portions of their personal information only if a global option to delete all personal information is also offered and more prominently presented than the other choices. 

​ 

If the business stores any personal information on archived or backup systems, it may delay compliance with the consumer’s request to delete, with respect to data stored on the archived or backup system, until the archived or backup system relating to that data is restored to an active system. 

 

The business shall delete the personal information in process free of charge within 45 days of receipt of consumer’s request notwithstanding and inclusive of the time it may have taken to verify the consumer request. A time period for the business to respond to a consumer for a Verifiable Consumer Request to Delete may be extended once by up to a total of 90 days where necessary, taking into account the complexity and number of the requests. The business shall inform the consumer of any such extension within 45 days of receipt of the request, together with the reasons for the delay. 

 
In cases where the business denies a consumer's request to delete, the business shall do all of the following: 

a. Inform the consumer that it will not comply with the consumer's request and describe the basis for the denial, including any conflict with federal or state law, or exception to the CCPA, unless prohibited from doing so by law 

b. Delete the consumer's personal information that is not subject to the exception  

c. Not use the consumer's personal information retained for any other purpose than provided for by that exception 

  

In cases where the business does not take action on a consumer’s request to delete, the business shall, without delay, so inform the consumer along with the reasons for not taking action and any rights the consumer may have to appeal the decision to the business. 

 
The business shall inform the consumer whether or not it has complied with a consumer's request to delete and likewise inform the consumer that it maintains records of consumer requests made pursuant to the CCPA and how it responded to the requests for at least 24 months. 

 
The business shall maintain a confidential record of deletion requests solely for the purpose of preventing the personal information of a consumer who has submitted a deletion request from being sold. 

 
The business and Cybersoft acting pursuant to the written contract between them, shall comply with a verified consumer’s request to delete the consumer’s personal information unless an exception applies. This is to mean that the business and Cybersoft cannot be required to delete the consumer’s personal information if retaining the same is reasonably necessary for the business and Cybersoft to: 

a. Complete the transaction for which the personal information was collected, fulfill the terms of a written warranty or product recall conducted in accordance with federal law, provide a service requested by the consumer, or reasonably anticipated within the context of a business’s ongoing business relationship with the consumer, or otherwise perform a contract between the business and the consumer.

b. Help to ensure security and integrity to the extent the use of the consumer’s personal information is reasonably necessary and proportionate for those purposes. 

c. Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity.

d. Debug to identify and repair errors that impair existing intended functionality. 

e. Exercise free speech, ensure the right of another consumer to exercise that consumer’s right of free speech, or exercise another right provided for by law. 

f. Comply with the California Electronic Communications Privacy Act pursuant to Chapter 3.6 (commencing with Section 1546) of Title 12 of Part 2 of the Penal Code. 

g. Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the business’s deletion of the information is likely to render impossible or seriously impair the achievement of such research, if the consumer has provided informed consent. 

h. To enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business. 

i. Comply with a legal obligation. 

j. Otherwise use the consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information. 

 
Consumer’s Right to Correct Inaccurate Personal Information

 

A consumer shall have the right to request the business that maintains inaccurate personal information about the consumer to correct that inaccurate personal information, taking into account the nature of the personal information and the purposes of the processing of the personal information. 

 

In all proper cases where the business has verified a consumer’s request to correct consumer’s inaccurate personal information and the consumer’s right thereto, the business shall use commercially reasonable efforts to correct the inaccurate personal information as directed by the consumer. 

  

As a service provider under the CCPA, Cybersoft shall not be required to comply with a Verifiable Consumer Request to Correct inaccurate personal information that is submitted by the consumer or a consumer’s authorized agent directly to Cybersoft to the extent that Cybersoft has collected, used, processed, or retained the consumer’s personal information in its role as a service provider. Instead, Cybersoft shall forward all Verifiable Consumer Requests to Correct inaccurate personal information received by it to the business with which it has a contractual relationship no later than 3 days from receipt. Should the business decide to accommodate a consumer’s request to correct the inaccurate personal information sought to be corrected by the consumer, Cybersoft, when so notified by the business, shall cooperate with the business to correct, or enable the business to correct the inaccurate personal information about the consumer that has been collected, used, processed, or retained by Cybersoft in connection with performing its contract with the business. 

 

The business shall correct inaccurate personal information in process free of charge within 45 days of receipt of consumer’s request notwithstanding and inclusive of the time it may have taken to verify the consumer request. A time period for the business to respond to a consumer for any Verifiable Consumer Request to Correct may be extended once by up to a total of 90 days where necessary, taking into account the complexity and number of the requests. The business shall inform the consumer of any such extension within 45 days of receipt of the request, together with the reasons for the delay. 

  

Non-Discrimination
 

Cybersoft does not discriminate against any consumer for exercising consumer rights under the CCPA. 

 
The denial of a consumer’s request to disclose to consumer, request to delete, or request to correct inaccurate personal information for reasons permitted by the CCPA or CCPA Regulations is not discriminatory. 

 
Authorized Agent

 

An authorized agent may represent a consumer in submitting a request to disclose to consumer, correct, or delete personal information in process. To protect consumer privacy and maintain data security, a completed and notarized Consumer’s Authorization of Authorized Agent Form downloadable from https://www.cybersoftbpo.com/privacy-policy-2022/#forms shall be required to be submitted along with a Consumer’s Personal Information Request Form and completed Declaration of Consumer’s Identity Form available at https://www.cybersoftbpo.com/declaration-of-consumer-identity and Declaration of Authorized Agent’s Identity Form available at https://www.cybersoftbpo.com/authorized-agent-identity. 

 
Amendments to Privacy Policy

 

Cybersoft reserves the right to modify and revise this Privacy Policy at its discretion and at any time. Should modifications and revisions be made, the modified and revised Privacy Policy shall be posted on the Website and the effective date of the Privacy Policy will be updated. 
  

Contact Information

​

Please send any questions or comments about the (a) Privacy Policy of Cybersoft, Inc. or (b) Consumer’s Personal Information Request Form via the Contact Us link on the Cybersoft website at https://www.cybersoftbpo.com or email to consumerprivacy@cybersoftbpo.com or our data controller and data protection officer Andrew Ang at andrew.ang@cybersoftbpo.com.

 

Click [here] for a downloadable PDF version of this Privacy Policy of Cybersoft, Inc.
Click [here] for a downloadable PDF version of Consumer’s Personal Information Request Form or use the Online Form
Click [here] for a downloadable PDF version of Declaration of Consumer’s Identity Form or use the Online Form
Click [here] for a downloadable PDF version of Consumer’s Authorization of Authorized Agent Form
Click [here] for a downloadable PDF version of Declaration of Authorized Agent’s Identity Form or use the Online Form