Anchor 1

Privacy Policy

Last Modified and Effective on August 1, 2023

Consumer’s Personal Information Request Form

Declaration of Authorized Agent’s Identity Form

Purpose

Cybersoft, Inc. (Cybersoft) adopts this privacy policy (“Privacy Policy”) to provide consumers with a description of Cybersoft’s practices regarding the collection, processing, and retention of consumers’ personal information; to inform consumers of the rights they have regarding their personal information; and, to notify consumers of how to exercise those rights under the California Consumer Privacy Act of 2018 (CCPA), as amended, and CCPA Regulations, as amended.

Coverage

This Privacy Policy covers every consumer that is a natural person who is a California resident and the consumers’ personal information processed or in process by Cybersoft.

Additionally, in instances where the consumer is a natural person who is not a California resident however identified, including by any unique identifier, this Privacy Policy covers the consumer’s personal information that is collected when all of the following three conditions concur:

a. if that information is collected while the consumer was outside of California
b. if no part of the sale of the consumer’s personal information occurred in California
c. if no personal information collected while the consumer was in California is sold.

Online Posting and Effectivity

This Privacy Policy is posted online which can be accessed and downloaded at
https://www.cybersoftbpo.com/privacy-policy-2023 and by clicking the “Privacy” tab on
Cybersoft's Website Homepage at https://www.cybersoftbpo.com for the convenience of
consumers and is presented in a format accessible to people with disabilities.

This Privacy Policy is updated at least once every 12 months and any changes take effect upon the date of posting of the revised Privacy Policy.

Service Provider

Cybersoft is a service provider under the CCPA, as amended, that performs data collection and processing pursuant to written contracts with business-contract-principals engaged in business data services and data analytics services.

Pursuant to its contracts, Cybersoft, on behalf of a business-contract-principal, acquires
pre-designated source documents containing data about business organizations which
concomitantly contain publicly available personal information of its business professionals
gathered from various data suppliers selected and engaged by the business-contract-principal.

Cybersoft collects and processes such data to produce commercial data vis-à-vis business organizations and its business professionals that are then supplied to and among other business organizations and business professionals.

The overall business purpose is to generate accurate, current and useful critical data that
are made available to business organizations and business professionals in order to enable them to readily perceive organizations, industries and markets, to know who they are doing business with, to protect against fraud, to efficiently meet compliance and regulatory obligations, and to be better informed to manage their financial risks.

Practices of Collection, Processing and Retention of Publicly Available Personal Information

In accordance with written contracts entered into between Cybersoft and business-contract-principals, Cybersoft, as a service provider on behalf of a business-contract-principal, first acquires pre-designated source documents containing data about business organizations which concomitantly contain publicly available personal information of its business professionals gathered from various data suppliers selected and engaged by the business-contract-principal.

Cybersoft then captures data elements specified and defined by the business-contract-principal which it then converts to a secure encrypted format indicated by the business-contract-principal for delivery solely to the business-contract-principal through the electronic transmission mechanism chosen by the business-contract-principal. Cybersoft repeats the above-described practices to populate and grow the business-contract-principal’s data element bank. It updates data elements and retains the data for as long as is required by the business-contract-principal.

Cybersoft’s collection, processing, and retention of consumers’ publicly available personal
information are reasonably necessary, appropriate and proportionate to achieve the business purposes for which such personal information are collected or processed and are compatible with the context in which such personal information are collected.

Cybersoft does not sell, share, or use for its own commercial purpose any of the business-contract-principal’s data nor any of the consumers’ personal information contained in the business-contract-principal’s data element bank.

Definitions

Personal Information:

“Personal information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following if it identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household:

(A) Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
(B) Any personal information described in subdivision (e) of Section 1798.80, CCPA.
(C) Characteristics of protected classifications under California or federal law.
(D) Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
(E) Biometric information.
(F) Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website application, or advertisement.
(G) Geolocation data.
(H) Audio, electronic, visual, thermal, olfactory, or similar information.
(I) Professional or employment-related information.
(J) Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. Sec. 1232g; 34 C.F.R. Part 99).
(K) Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
(L) Sensitive personal information. (Section 1798.140(v), CCPA, as amended)

Sensitive Personal Information:

“Sensitive personal information” means:
(1) Personal information that reveals:
(A) A consumer’s social security, driver’s license, state identification card, or passport number.
(B) A consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account.
(C) A consumer’s precise geolocation.
(D) A consumer’s racial or ethnic origin, religious or philosophical beliefs, or union
membership.
(E) The contents of a consumer’s mail, email, and text messages unless the business is the intended recipient of the communication.
(F) A consumer’s genetic data. (Section 1798.140(ae), CCPA, as amended)

Publicly Available Personal Information:
- “Personal information” does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records. (§1798.80(e)(2), California Civil Code)
- “Personal information” does not include publicly available information or lawfully obtained, truthful information that is a matter of public concern. For purposes of this paragraph, “publicly available” means: information that is lawfully made available from federal, state, or local government records, or information that a business has a reasonable basis to believe is lawfully made available to the general public by the consumer or from widely distributed media; or information made available by a person to whom the consumer has disclosed the information if the consumer has not restricted the information to a specific audience. “Publicly available” does not mean biometric information collected by a business about a consumer without the consumer’s knowledge. (3) “Personal information” does not include consumer information that is de-identified or aggregate consumer information. (§1798.140(v)(2), CCPA, as amended)

Publicly Available Sensitive Personal Information:
- “Sensitive personal information” that is “publicly available” pursuant to paragraph (2) of subdivision (v) of Section 1798.140 shall not be considered sensitive personal information or personal information. (Section 1798.140(ae)(3), CCPA, as amended)

Consumers’ Right to Know What Personal Information is Being Collected
Right to Access Personal Information

A consumer has the right to request that a business that collects personal information about the consumer disclose to the consumer all of the following:

(1) The categories of personal information collected about the consumer.
(2) The categories of sources from which the personal information is collected.
(3) The business or commercial purpose for which collected personal information is
disclosed or sold.
(4) The categories of third parties to whom the business discloses personal information or sells.
(5) The categories of personal information that the business disclosed for a business
purpose or sold, and for each category identified, the categories of third parties to whom it disclosed that particular category of personal information or sold.

To exercise this consumer right, a consumer may submit to Cybersoft a Verifiable
Consumer Request to know and access personal information. (See Verifiable Consumer Request Section) As a service provider under the CCPA, as amended, Cybersoft is not required to comply with a Verifiable Consumer Request that is submitted by a consumer or a consumer’s authorized agent directly to Cybersoft to the extent that Cybersoft has collected personal information about the consumer in its role as a service provider. Instead, Cybersoft shall forward all Verifiable Consumer Requests that are received by it to the business with which it has a contractual relationship no later than 3 days from receipt.

Within 10 business days after receiving a Verifiable Consumer Request, the business-contract-principal will confirm to the consumer the receipt of the request and provide information about how the request will be processed. A consumer can only make a Verifiable Consumer Request to know and access twice within a 12-month period. In all proper cases where Cybersoft’s business-contract-principal has verified a consumer’s Verifiable Consumer Request to know and access personal information and the consumer’s right thereto (See Verification of Consumer Identity Section), business-contract-principal shall respond free of charge within 45 days of receiving a Verifiable Consumer Request from the consumer. The period to respond to the request may be extended once by an additional 45 days when reasonably necessary, notice
and reason of which shall be given to the consumer.

When so notified by the business-contract-principal, Cybersoft shall assist the business-contract-principal by providing to the business-contract-principal the consumer’s personal information in its possession that were obtained in connection with performing its contract with the business-contract-principal.

In response to a request to know and access, the business-contract-principal shall furnish
by category or categories the personal information that are not publicly available that were
collected about the consumer for the applicable period of time by reference to the enumerated category or categories that most closely describes said collected personal information that are not publicly available; the categories of sources from which the consumer’s personal information that are not publicly available were collected; the business or commercial purpose for collecting and disclosing the consumer’s personal information that are not publicly available; the categories of third parties to whom the business-contract-principal discloses the consumer’s personal information that are not publicly available; and, specific pieces of personal information that are not publicly available. “Specific pieces of information” do not include data generated to help ensure security and integrity or as prescribed by regulation.

Accessed information shall be in writing and in a format that is easily understandable to
the consumer, and to the extent technically feasible, in a structured, commonly used, machine-readable format that may also be transmitted to another entity at the consumer’s request without hindrance. These shall be delivered to the consumer through the consumer’s account with the business-contract-principal if the consumer maintains an account with the business-contract-principal, or by mail or electronically at the consumer’s option if the consumer does not maintain an account with the business-contract-principal.

Accessed information shall cover the 12-month period preceding Cybersoft’s business-contract-principal’s receipt of the Verifiable Consumer Request to know and access. A consumer may request access to information beyond the 12-month period, and the business-contract-principal shall be so required unless doing so proves impossible or would involve a disproportionate effort. A consumer’s right to request access to information beyond the 12-month period, and a business-contract-principal’s obligation to furnish such information, shall only apply to personal information that are not publicly available collected on or after January 1, 2022.

Cybersoft and its business-contract-principal shall maintain records of consumer Requests to Know and Access and how such requests were responded to under reasonable security procedures and practices for at least 24 months.

Verifiable Consumer Request

To exercise its consumer rights, a consumer may submit to Cybersoft a Verifiable Consumer Request by completing the Consumer’s Personal Information Request Form provided for consumer’s convenience on the Cybersoft’s Website at
https://www.cybersoftbpo.com/consumer-personal-information or by emailing to
consumerprivacy@cybersoftbpo.com a request containing the minimum information set forth in the aforementioned request form.

If the consumer has an account with the business-contract-principal, said business-contract-principal may require the consumer to use that account to submit a Verifiable Consumer Request.

A consumer may be represented by an authorized agent in submitting a request. To
protect consumer privacy and maintain data security, a completed and notarized Consumer’s Authorization of Authorized Agent Form downloadable from
https://www.cybersoftbpo.com/privacy-policy-2023/#forms is required to be submitted along with a Consumer’s Personal Information Request Form and completed Declaration of Consumer’s Identity Form available at https://www.cybersoftbpo.com/declaration-of-consumer-identity and Declaration of Authorized Agent’s Identity Form available at
https://www.cybersoftbpo.com/authorized-agent-identity.

A consumer shall be given a confirmation of the receipt of the request and information
about how the request will be processed no later than 10 business days after a request is
received.

A Verifiable Consumer Request shall not extend to personal information about the
consumer that belongs to, or that the business-contract-principal maintains on behalf of, another natural person.

If requests from a consumer are manifestly unfounded or excessive, in particular because
of their repetitive character, the business-contract-principal may charge a reasonable fee, taking into account the administrative costs of providing the information or communication, or taking the action requested. Or, the business-contract-principal may refuse to act on the request and notify the consumer of the reason for refusing the request. In either case, the business-contract-principal shall bear the burden of demonstrating that a consumer request is manifestly unfounded or excessive or requires disproportionate effort.

Records of Verifiable Consumer Requests are maintained under reasonable security
procedures for at least 24 months.

Verification of Consumer Identity

To protect consumer privacy and maintain data security, the person making a Verifiable
Consumer Request shall be verified to be the consumer about whom the personal information was collected.

Verification of Consumer Identity shall be done by requiring that a completed Declaration
of Consumer’s Identity Form be submitted along with a Consumer’s Personal Information
Request Form. A downloadable Declaration of Consumer’s Identity Form is available at
https://www.cybersoftbpo.com/privacy-policy-2023/#forms.In case the consumer is
represented by an authorized agent, a completed Declaration of Authorized Agent’s Identity Form is available at https://www.cybersoftbpo.com/authorized-agent-identity and shall be required to be submitted by the authorized agent.

Cybersoft’s business-contract-principal may seek the authentication of the consumer that
is reasonable in light of the nature of the personal information requested, but shall not require the consumer to create an account with the business-contract-principal in order to make a Verifiable Consumer Request. A fee for the verification consumer identity shall not be required. For example, a requestor shall not be required to furnish a notarized affidavit to verify consumer identity unless business-contract-principal pays for the cost of notarization.

To verify a consumer's identity, Cybersoft’s business-contract-principal shall, whenever
feasible, match the identifying information provided by the requestor to the personal
information of the consumer already maintained by the business-contract-principal.

A request to know and access categories of personal information shall require verification to a reasonable degree of certainty which may include matching at least two data points provided by the requestor with data points maintained by the business.
A request to know and access specific pieces of personal information shall require
verification to a reasonably high degree of certainty which may include matching at least three pieces of personal information provided by the requestor with personal information maintained by the business.
A request to delete or a request to correct shall require verification to a reasonable or
reasonably high degree of certainty depending on the sensitivity of the personal
information and the risk of harm to the consumer posed by unauthorized deletion.
Cybersoft’s business-contract-principal shall act in good faith when determining the
appropriate standard to apply.
If Cybersoft’s business-contract-principal suspects fraudulent or malicious activity on or from a password-protected account, the business-contract-principal shall not comply with a consumer's request to know and access, request to delete or request to correct inaccurate personal information until further verification procedures determine that the consumer request is authentic and the consumer making the request is the person about whom the business-contract-principal has collected information.
Cybersoft’s business-contract-principal may rely on representations made in a request to establish a consumer’s rights with respect to personal information and is under no legal requirement to seek out other persons that may have or claim to have any right to the personal information. The business-contract-principal is under no legal obligation to take any action in the event of a dispute between or among persons claiming rights to personal information in the business-contract-principal's possession.

Records of signed Declarations are maintained under reasonable security procedures for at least 24 months.

Denial of Request

A request shall be denied if the identity of requestor as consumer cannot be established.
Cybersoft’s business-contract-principal shall issue the denial of request in writing to be delivered to the requestor by mail or electronically in the mode the request was received.

Categories of Personal Information

A consumer shall have the right to request that a business that collects personal information about the consumer disclose to the consumer the categories of the personal information it has collected about the consumer.

In responding to the request, disclosure shall cover categories of personal information
collected within 12 months preceding the receipt of the request.

Pursuant to its written contracts with its business-contract-principals, Cybersoft collects
data about business organizations which concomitantly contain publicly available personal information of its business professionals falling under any of the following categories:

Identifiers: Examples of this information on business professionals include contact information such as real name, alias, job title, address, phone number, fax number, e-mail address, domain names, or other similar identifiers.
Commercial Information: Examples of this information on businesses include company profiles and statistics, including number of employees; assets, net worth; and business relationships.
Geolocation Data: Examples of this information on businesses include territories, locations and geographical operation histories of companies, subsidiaries, affiliates, and lines of business.
Professional Information: Examples of this information on business professionals include background profiles and information regarding company management, such as beneficial ownership/persons of significant control, and the educational and career histories of company principals.

Personal information does not include information excluded from the CCPA’s scope, such as:

Health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data;
Personal information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FCRA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver’s Privacy Protection Act of 1994.

Disclaimers by Cybersoft

Pursuant to written contracts entered into between Cybersoft and business-contract-principals, Cybersoft, as a service provider on behalf of a business-contract-principal, Cybersoft captures data elements specified and defined by the business-contract-principal from pre-designated source documents containing data about business organizations which concomitantly contain publicly available personal information of its business professionals it then converts to a secure encrypted format indicated by the business-contract-principal for delivery solely to the business-contract-principal through the electronic transmission mechanism chosen by the business-contract-principal.

In view of the foregoing, the following disclaimers are being made by Cybersoft:

Cybersoft only uses, i.e. collects and processes, publicly available personal information reasonably necessary and proportionate to perform data analytic services pursuant to written contracts, resulting processed data of which are disclosed solely to its business-contract-principals and not to any third party.
Cybersoft has not sold or shared consumers’ personal information to a third party in the preceding 12 months.
Cybersoft has not disclosed consumer’s personal information for a business purpose to a third party in the preceding 12 months.
Cybersoft does not sell the personal information of consumers actually known to be less than 16 years of age.
Cybersoft does not buy, receive for commercial purposes or make available for commercial purposes the personal information of 10,000,000 or more consumers in a calendar year.

Categories of Sources of Personal Information

A consumer shall have the right to request that a business that collects personal information about the consumer disclose to the consumer the categories of sources from which the personal information is collected.

Cybersoft is a service provider that performs data collection and processing pursuant to
written contracts with business-contract-principals engaged in business data services and data analytics services. On behalf of its business-contract-principals, Cybersoft acquires predesignated source documents containing data about business organizations which concomitantly contain publicly available personal information of its business professionals gathered from various data suppliers selected and engaged by its business-contract-principals. The sources of personal information fall under any of the following categories:

Data vendors
Governmental and administrative public recorders
Courts, regulatory bodies and law enforcement agencies
Public sector information and company registrars
Media

Cybersoft updates collected data about subject business organizations including collected publicly available personal information of its business professionals by calling the business organizations concerned.

Consumers’ Right to Know What Personal Information is Disclosed and to Whom

A consumer has the right to request a business that discloses personal information for a business purpose disclose to that consumer:

(1) Categories the personal information of the consumer that the business disclosed for a business purpose during the applicable period of time in the preceding 12 months
(2) Categories of third parties to whom the consumer’s personal information was
disclosed for a business purpose during the applicable period of time in the preceding 12 months.

To exercise this consumer right, a consumer may submit to Cybersoft a Verifiable
Consumer Request to know what personal information is disclosed and to whom. (See Verifiable Request Section) As a service provider under the CCPA, as amended, Cybersoft is not required to comply with a Verifiable Consumer Request that is submitted by a consumer or a consumer’s authorized agent directly to Cybersoft to the extent that Cybersoft has collected personal information about the consumer in its role as a service provider. Instead, Cybersoft shall forward all Verifiable Consumer Requests that are received by it to the business with which it has a contractual relationship no later than 3 days from receipt.

Within 10 business days after receiving a Verifiable Consumer Request, the business-contract-principal will confirm to the consumer the receipt of the request and provide
information about how the request will be processed. A consumer can only make a Verifiable Consumer Request to know what personal information is disclosed and to whom twice within a 12-month period. In all proper cases where Cybersoft’s business-contract-principal has verified a consumer’s Verifiable Consumer Request to know what personal information is disclosed and to whom and the consumer’s right thereto (See Verification of Consumer Identity Section), business-contract-principal shall respond free of charge within 45 days of receiving a verifiable consumer request from the consumer. The period to respond to the request may be extended once by an additional 45 days when reasonably necessary, notice and reason of which shall be given to the consumer.

In response to a request to know what personal information is disclosed and to whom,
the business-contract-principal shall furnish by category or categories the personal information that are not publicly available that were collected about the consumer for the applicable period of time by reference to the enumerated category or categories that most closely describes said collected personal information that are not publicly available; the categories of sources from which the consumer’s personal information that are not publicly available were collected; the business or commercial purpose for collecting and disclosing the consumer’s personal information that are not publicly available; the categories of third parties to whom the business-contract-principal discloses the consumer’s personal information that are not publicly available; and, specific pieces of personal information that are not publicly available. “Specific pieces of information” do not include data generated to help ensure security and integrity or as prescribed by regulation.

Accessed information shall cover the 12-month period preceding Cybersoft’s business-contract-principal’s receipt of the Verifiable Consumer Request to know what personal
information is disclosed and to whom. A consumer may request access to such information beyond the 12-month period, and the business-contract-principal shall be so required unless doing so proves impossible or would involve a disproportionate effort. A consumer’s right to request access to information beyond the 12-month period, and a business-contract-principal’s obligation to furnish such information, shall only apply to personal information that are not publicly available collected on or after January 1, 2022.

Cybersoft and its business-contract-principal shall maintain records of consumer
Requests to Know What Personal Information Is Disclosed and To Whom and how such requests were responded to under reasonable security procedures and practices for at least 24 months.

Consumers’ Right to Opt-Out of Sale or Sharing of Personal Information

A consumer has the right to opt-out and direct a business that sells or shares personal
information about the consumer to third parties not to sell or share the consumer’s personal information.

Cybersoft does not sell or share personal information. Accordingly, Cybersoft is covered
by the exemption under Section 7013(g) of CCPA Regulations, as amended. Cybersoft is not required to post a Notice of Right to Opt-out of Sale/Sharing and furnish a “Do Not Sell or Share My Personal Information” Link or provide a method to opt-out.

Consumer’s Right to Delete Personal Information

A consumer has the right to request that a business delete any personal information about the consumer which the business has collected for a business purpose.

To exercise this consumer right, a consumer may submit to Cybersoft a Verifiable
Consumer Request to delete personal information. (See Verifiable Request Section) As a service provider under the CCPA, as amended, Cybersoft is not required to comply with a Verifiable Consumer Request that is submitted by a consumer or a consumer’s authorized agent directly to Cybersoft to the extent that Cybersoft has collected personal information about the consumer in its role as a service provider. Instead, Cybersoft shall forward the Verifiable Consumer Request received by it to the business with which it has a contractual relationship no later than 3 days from receipt.

Within 10 business days after receiving a Verifiable Consumer Request, the business-contract-principal will confirm to the consumer the receipt of the request and provide
information about how the request will be processed. A consumer can only make a Verifiable Consumer Request to know and access twice within a 12-month period. In all proper cases where Cybersoft’s business-contract-principal has verified a consumer’s Verifiable Consumer Request to delete (See Verification of Consumer Identity Section), business-contract-principal shall respond within 45 days of receiving the request from the consumer. If the business-contract-principal stores any personal information on archived or backup systems, it may delay compliance with the consumer's request to delete, with respect to data stored on the archived or backup system, until the archived or backup system relating to that data is restored to an active system. The period to respond to the request may be extended once by an additional 45 days when reasonably necessary, notice and reason of which shall be given to the consumer.

To comply with consumer’s request to delete, business-contract-principal and Cybersoft,
upon notification as service provider, shall permanently and completely erase the personal
information from their existing systems except from their archived or backup systems, deidentify the personal information, or aggregate the consumer information.

The business-contract-principal and Cybersoft shall comply with a consumer’s request to
delete a consumer’s personal information unless an exception applies under law, e.g. Section 1798.105(d) of CCPA, as amended.

In case a consumer’s request to delete is denied in whole or in part, business-contract-principal shall do all of the following:

(1) Provide to the consumer a detailed explanation of the basis for the denial, including any conflict with federal or state law, exception to the CCPA, or factual basis for contending that compliance would be impossible or involve disproportionate effort, unless prohibited from doing so by law.
(2) Delete the consumer’s personal information that is not subject to the exception.
(3) Not use the consumer’s personal information retained for any other purpose than
provided for by that exception; and
(4) Instruct its service providers and contractors to delete the consumer’s personal
information that is not subject to the exception and to not use the consumer’s personal information retained for any purpose other than the purpose provided for by that exception.
(5) Give the consumer a Notice of Right to Opt-out of Sale/Sharing or an Opt-out link if the business-contract principal sells or shares consumer’s personal information.

Cybersoft’s business-contract-principal shall inform consumer of how the request to
delete was handled. Consumer shall, likewise, be notified that records of consumer Requests to Delete Personal Information and accounts of how the requests were handled shall be maintained under reasonable security procedures and practices for at least 24 months for purposes of ensuring that the consumer’s personal information remains deleted from its records and preventing its sale or use.

Consumer’s Right to Correct Inaccurate Personal Information

A consumer has the right to request a business that maintains inaccurate personal information about the consumer to correct that inaccurate personal information, taking into account the nature of the personal information and the purposes of the processing of the personal information.

To exercise this consumer right, a consumer may submit to Cybersoft a Verifiable
Consumer Request to correct inaccurate personal information. (See Verifiable Consumer Request Section) As a service provider under the CCPA, as amended, Cybersoft is not required to comply with a Verifiable Consumer Request that is submitted by a consumer or a consumer’s authorized agent directly to Cybersoft to the extent that Cybersoft has collected personal information about the consumer in its role as a service provider. Instead, Cybersoft shall forward all Verifiable Consumer Requests that are received by it to the business with which it has a contractual relationship no later than 3 days from receipt.

Within 10 business days after receiving a Verifiable Consumer Request, the business-contract-principal will confirm to the consumer the receipt of the request and provide
information about how the request will be processed. A consumer can only make a Verifiable Consumer Request to know and access twice within a 12-month period. In all proper cases where Cybersoft’s business-contract-principal has verified a consumer’s Verifiable Consumer Request to correct inaccurate personal information and the consumer’s right thereto (See Verification of Consumer Identity Section), business-contract-principal shall respond within 45 days of receiving the request from the consumer. If any personal information that is the subject of the request to correct is stored on archived or backup systems, it may delay compliance with the consumer’s request to correct, with respect to data stored on the archived or backup system, until the archived or backup system relating to that data is restored to an active system or is next accessed
or used. The period to respond to the request may be extended once by an additional 45 days when reasonably necessary, notice and reason of which shall be given to the consumer.

To determine the accuracy of the personal information that is the subject of a consumer’s
request to correct, the totality of the circumstances relating to the contested personal
information shall be considered including the nature of the personal information, e.g. objective, subjective, unstructured, sensitive, how the business-contract-principal obtained the contested information and the documentation relating to the accuracy of the information whether provided by the consumer, the business, or another source.

When the personal information sought for correction is a consumer’s Social Security number, driver’s license number or other government-issued identification number, financial account number, any health insurance or medical identification number, an account password, security questions and answers, or unique biometric data generated from measurements or technical analysis of human characteristics, no disclosure shall be made, pursuant to CCPA Regulations, as amended.

The request shall be denied if there is a good-faith, reasonable, and documented belief
that the request to correct is fraudulent or abusive. In communicating the denial of the request to consumer, the business-contract-principal shall inform the consumer of the basis for the denial such as conflict with federal or state law, exception to the CCPA, inadequacy in the required documentation, or contention that compliance proves impossible or involves disproportionate effort which will be duly explained.

If a correction is in order, business-contract-principal shall use commercially reasonable
efforts to correct the inaccurate personal information at issue on its existing systems, instruct Cybersoft to do the same, and inform the consumer. In addition, where Cybersoft and its business-contract-principal are not the source of the information that the consumer contends is inaccurate, the consumer shall be provided with the name of the source of the alleged inaccurate information.

Upon consumer’s request, the business-contract-principal shall disclose specific pieces of
personal information that business-contract-principal has collected and maintains about the consumer to allow the consumer to confirm that the business has corrected the inaccurate information that was the subject of the consumer’s request to correct. This disclosure shall not be counted against or diminish the two-request limit within a 12-month period on consumers.

Cybersoft and its business-contract-principal shall maintain for at least 24 months, under
reasonable security procedures and practices, the records of consumer Requests to Correct Inaccurate Personal Information, related documentations and accounts of how the requests were handled.

Consumer’s Right to Limit Use and Disclosure of Sensitive Personal Information

A consumer has the right to direct a business that collects sensitive personal information about the consumer to limit its use and disclosure of the consumer’s sensitive personal information, and has the right to be furnished a method for submitting a request to limit.

Cybersoft, as a service provider under the CCPA, as amended, pursuant to written
contracts with business-contract-principals, uses sensitive personal information to perform
services on behalf of its business-contract-principals. As such, Cybersoft is covered by the exemption under Section 7027(m) of CCPA Regulations, as amended. Cybersoft is not required to post a Notice of Right to Limit and furnish a “Limit the Use of My Sensitive Personal Information” link or provide a method for submitting a request to limit.

Non-Discrimination

Cybersoft does not discriminate against any consumer for exercising consumer rights under the CCPA, as amended.

The denial of a consumer’s request to know, obtain disclosure of, correct, or delete
personal information, or limit the use or disclosure of sensitive personal information for reasons permitted by the CCPA, as amended, or CCPA Regulations, as amended, is not discriminatory.

Authorized Agent

An authorized agent may represent a consumer in submitting a request to know, obtain
the disclosure of, correct, or delete a consumer’s processed or in-process personal information that are not publicly available, or limit the use or disclosure of a consumer’s processed or inprocess sensitive personal information that are not publicly available. To protect consumer privacy and maintain data security, a completed and notarized Consumer’s Authorization of Authorized Agent Form downloadable from https://www.cybersoftbpo.com/privacy-policy-2023/#forms shall be required to be submitted along with a Consumer’s Personal Information Request Form and completed Declaration of Consumer’s Identity Form available at https://www.cybersoftbpo.com/declaration-of-consumer-identity and Declaration of Authorized Agent’s Identity Form available at https://www.cybersoftbpo.com/authorized-agentidentity.

Amendments to Privacy Policy

Cybersoft reserves the right to modify and revise this Privacy Policy at its discretion and at any time. Should modifications and revisions be made, the modified and revised Privacy Policy shall be posted on the Website at https://www.cybersoftbpo.com and the effective date of the Privacy Policy will be updated.

Contact Information

Please send any questions or comments about the (a) Privacy Policy of Cybersoft, Inc. or
(b) Consumer’s Personal Information Request Form via the Contact Us link on the Cybersoft Website at https://www.cybersoftbpo.com or e-mail to consumerprivacy@cybersoftbpo.com or our data controller and data protection officer Andrew Ang at andrew.ang@cybersoftbpo.com.

Click here [ ] for a downloadable PDF version of this Privacy Policy of Cybersoft, Inc.
Click here [ ] for a downloadable PDF version of Consumer’s Personal Information Request Form or use the Online Form
Click here [ ] for a downloadable PDF version of Declaration of Consumer’s Identity Form or use the Online Form
Click here [ ] for a downloadable PDF version of Consumer’s Authorization of Authorized Agent Form
Click here [ ] for a downloadable PDF version of Declaration of Authorized Agent’s Identity Form or use the Online Form

< Back

forms