top of page
Anchor 1

Privacy Policy

(Last Modified and Effective on August 1, 2024)

Online Posting and Effectivity

This Privacy Policy is posted online which can be accessed and obtained by download at https://www.cybersoftbpo.com/privacy-policy-2024 and also by clicking the “Privacy Policy” tab on Cybersoft's Website Homepage at https://www.cybersoftbpo.com for the convenience of consumers, customers and data subjects, and is presented in a format accessible to people with disabilities.
         
         This Privacy Policy is updated at least once every 12 months and any changes take effect upon the date of posting of the revised Privacy Policy.

​

​

Purpose

Cybersoft, Inc. (Cybersoft) adopts this privacy policy (“Privacy Policy”) to provide consumers, customers and data subjects with a description of Cybersoft’s practices regarding the collection, processing and retention of their nonpublic, personal and sensitive information; to inform consumers, customers and data subjects of the rights they have regarding their nonpublic, personal and sensitive information; and, to notify consumers, customers and data subjects of how to exercise those rights.

​​​

​

Coverage

This Privacy Policy covers every consumer, customer and data subject whose nonpublic, personal and sensitive information is in process or has been processed by Cybersoft in accordance with the following privacy regulations as may be applicable: the California Privacy Rights Act (CPRA) and CPRA Regulations, the California Consumer Privacy Act of 2018 (CCPA), as amended, and CCPA Regulations, as amended, the General Data Protection Regulation (GDPR), as amended, the Personal Data Privacy Ordinance (PDPO), as amended, and the Gramm-Leach-Bliley Act (GLBA), as amended.

 

          Under the CCPA and CPRA, a consumer is a natural person who is a California resident, or a California non-resident however identified, including by any unique identifier, when all of the following three conditions concur:

a. if that information is collected while the consumer was outside of California

b. if no part of the sale of the consumer’s personal information occurred in California

c. if no personal information collected while the consumer was in California is sold

whose personal and sensitive information is collected by businesses doing business in California and processed on their behalf by Cybersoft as service provider

 

         Under the GDPR, a data subject is an identified or identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier, whose personal data are collected by data controllers and processed on their behalf by Cybersoft as data processor.

 

         Under the PDPO, a data subject is a living individual whose personal data can be used to identify that individual and also exist in a form which access to or processing of is practicable and of which personal data are collected by data users and processed on their behalf by Cybersoft as data processor.

 

          Under the GLBA, a consumer is an individual obtaining a financial product or service from a financial institution for personal, family or household reasons whereas a customer is a consumer in a continuing customer relationship with a financial institution, both from whom for above-mentioned purposes, Nonpublic Personal Information (NPI) are collected by the financial institution and processed by Cybersoft as service provider.

 

 

Service Provider

Cybersoft is a service provider that performs data collection and processing pursuant to written contracts with business-contract-principals engaged in business data services, data analytics services and mortgage origination and lending services.

 

      On behalf of business-contract-principals engaged in business data services and data analytics services, Cybersoft collects and processes commercial data vis-à-vis business organizations and personal data of its business professionals in order to generate accurate, current and useful critical data that are made available to other business organizations and business professionals so as to enable them to readily perceive industry and market trends, to know who they are doing business with, to protect against fraud, to efficiently meet compliance and regulatory obligations, and to be better informed to manage their financial risks.

 

          With respect to business-contract-principals engaged in mortgage origination and lending services, Cybersoft is a nonaffiliated third-party service provider under written contractual agreements with financial institutions that prohibit the disclosure or use of Nonpublic Personal Information (NPI) other than to perform services for financial institutions to whom NPI about a consumer is disclosed.

 

 

Practices of Collection, Processing and Retention of Personal Information Compliant with Requirements of Purpose Limitation, Reasonable Consumer Expectation, Data Minimization and Storage Limitation

Cybersoft’s practices of collection, processing and retention of personal information are reasonably necessary and proportionate to meet the reasonable expectations of consumers, customers and data subjects regarding the purpose for which their information are obtained. Only the minimum amount of personal information required to accomplish a processing purpose is obtained. Detailed records of the applications or systems used to store personal data, internally or externally, are maintained to allow for steps to be readily taken to remove them from the systems when such data are no longer required for disclosed processing purposes.

 

         On behalf of its business-contract-principals engaged in business data services and data analytics service, Cybersoft first acquires pre-designated source documents containing data about business organizations which concomitantly contain publicly available personal information of its business professionals, i.e. data subjects, gathered from various data suppliers selected and engaged by the business-contract-principal. Cybersoft then captures data elements specified and defined by the business-contract-principal which it then converts to a secure encrypted format indicated by the business-contract-principal for delivery solely to the business-contract-principal through the electronic transmission mechanism chosen by the business-contract-principal. Cybersoft repeats the above-described practices to populate and grow the business-contract-principal’s data element bank. It updates data elements and retains the data for as long as is required by the business-contract-principal.

 

       Pursuant to its written contracts with business-contract-principals engaged in mortgage origination and lending services, Cybersoft receives images of documents and papers containing Nonpublic Personal Information (NPI) gathered from consumers, i.e. would-be-borrowers, and customers who do qualify and end up as borrowers. Cybersoft processes such data in the performance loan document organizer services, borrower submissions compliance monitoring services and income summary services in connection with the mortgage origination and lending business of its business-contract principals.

​

          Cybersoft does not sell, share, or use for its own commercial purpose any of the business-contract-principal’s data nor any of the consumers’, customers’ and data subjects’ personal information contained in the business-contract-principal’s data element bank.

 

​

Definitions

  • Nonpublic Personal information:
    Under the GLBA, "Nonpublic Personal Information" (NPI) is any "personally identifiable financial information" that a financial institution collects about an individual in connection with providing a financial product or service, unless that information is otherwise "publicly available."

 

  • Personal Data:
    Under the GDPR, “Personal data” are any information which are related to an identified or identifiable natural person.

​

  • Personal Information:
    Under the CCPA and CPRA, “Personal information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following if it identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household:

(A) Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.

(B) Any personal information described in subdivision (e) of Section 1798.80, CCPA.

(C) Characteristics of protected classifications under California or federal law.

(D) Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.

(E) Biometric information.

(F) Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website application, or advertisement.

(G) Geolocation data.

(H) Audio, electronic, visual, thermal, olfactory, or similar information.

(I) Professional or employment-related information.

(J) Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. Sec. 1232g; 34 C.F.R. Part 99).

(K) Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

(L) Sensitive personal information. (Section 1798.140(v), CCPA, as amended)

 

  •   Sensitive Personal Information:
               Under the CCPA and CPRA, “Sensitive personal information” means:

(1) Personal information that reveals:

(A) A consumer’s social security, driver’s license, state identification card, or passport number.

(B) A consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account.

(C) A consumer’s precise geolocation.

(D) A consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership.

(E) The contents of a consumer’s mail, email, and text messages unless the business is the intended recipient of the communication.

(F) A consumer’s genetic data. (Section 1798.140(ae), CCPA, as amended)

 

  •   Publicly Available Personal Information:
      Under the CCPA and CPRA,

o  “Personal information” does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records. (§1798.80(e)(2), California Civil Code)

o  “Personal information” does not include publicly available information or lawfully obtained, truthful information that is a matter of public concern. For purposes of this paragraph, “publicly available” means: information that is lawfully made available from federal, state, or local government records, or information that a business has a reasonable basis to believe is lawfully made available to the general public by the consumer or from widely distributed media; or information made available by a person to whom the consumer has disclosed the information if the consumer has not restricted the information to a specific audience. “Publicly available” does not mean biometric information collected by a business about a consumer without the consumer’s knowledge. (3) “Personal information” does not include consumer information that is de-identified or aggregate consumer information. (§1798.140(v)(2), CCPA, as amended)

 

  •   Publicly Available Sensitive Personal Information:
      Under the CCPA and CPRA,

o  “Sensitive personal information” that is “publicly available” pursuant to paragraph (2) of subdivision (v) of Section 1798.140 shall not be considered sensitive personal information or personal information. (Section 1798.140(ae)(3), CCPA, as amended)

 

Consumers’ Right to Know What Personal Information is Being Collected

Right to Access Personal Information

A consumer has the right to request that a business that collects personal information about the consumer disclose to the consumer all of the following:

(1) The categories of personal information collected about the consumer.

(2) The categories of sources from which the personal information is collected.

(3) The business or commercial purpose for which collected personal information is disclosed or sold.

(4) The categories of third parties to whom the business discloses personal information or sells.

(5) The categories of personal information that the business disclosed for a business purpose or sold, and for each category identified, the categories of third parties to whom it disclosed that particular category of personal information or sold.

 

         To exercise this consumer right, a consumer may submit to Cybersoft a Verifiable Consumer Request to know and access personal information. (See Verifiable Consumer Request Section below) As a service provider, Cybersoft is not required to comply with a Verifiable Consumer Request that is submitted by a consumer or a consumer’s authorized agent directly to Cybersoft to the extent that Cybersoft has collected personal information about the consumer in its role as a service provider. Instead, Cybersoft shall forward all Verifiable Consumer Requests that are received by it to the business with which it has a contractual relationship no later than 3 days from receipt.

 

      Within 10 business days after receiving a Verifiable Consumer Request, the business-contract-principal will confirm to the consumer the receipt of the request and provide information about how the request will be processed. A consumer can only make a Verifiable Consumer Request to know and access twice within a 12-month period. In all proper cases where Cybersoft’s business-contract-principal has verified a consumer’s Verifiable Consumer Request to know and access personal information and the consumer’s right thereto (See Verification of Consumer Identity Section below), business-contract-principal shall respond free of charge within 45 days of receiving a Verifiable Consumer Request from the consumer. The period to respond to the request may be extended once by an additional 45 days when reasonably necessary, notice and reason of which shall be given to the consumer.

 

         Under the GDPR, data subjects' requests under this right to access must be replied to by data controller without undue delay and in any event within one month from the receipt of a request. The deadline can be extended by two additional months taking into account the complexity and number of requests. In any case, the data subject must be informed of such an extension within one month from the receipt of a request.

 

          Under the PPDO, a data user must comply with a data access request within 40 days after receiving a data subject’s request.

 

       When so notified by the business-contract-principal, Cybersoft shall assist the business-contract-principal by providing to the business-contract-principal the consumer’s personal information in its possession that were obtained in connection with performing its contract with the business-contract-principal.

 

         In response to a request to know and access, the business-contract-principal shall furnish by category or categories the personal information that are not publicly available that were collected about the consumer for the applicable period of time by reference to the enumerated category or categories that most closely describes said collected personal information that are not publicly available; the categories of sources from which the consumer’s personal information that are not publicly available were collected; the business or commercial purpose for collecting and disclosing the consumer’s personal information that are not publicly available; the categories of third parties to whom the business-contract-principal discloses the consumer’s personal information that are not publicly available; and, specific pieces of personal information that are not publicly available. “Specific pieces of information” do not include data generated to help ensure security and integrity or as prescribed by regulation.

 

          Accessed information shall be in writing and in a format that is easily understandable to the consumer, and to the extent technically feasible, in a structured, commonly used, machine-readable format that may also be transmitted to another entity at the consumer’s request without hindrance. These shall be delivered to the consumer through the consumer’s account with the business-contract-principal if the consumer maintains an account with the business-contract-principal, or by mail or electronically at the consumer’s option if the consumer does not maintain an account with the business-contract-principal.

 

      Accessed information shall cover the 12-month period preceding Cybersoft’s business-contract-principal’s receipt of the Verifiable Consumer Request to know and access. A consumer may request access to information beyond the 12-month period, and the business-contract-principal shall be so required unless doing so proves impossible or would involve a disproportionate effort. A consumer’s right to request access to information beyond the 12-month period, and a business-contract-principal’s obligation to furnish such information, shall only apply to personal information that are not publicly available collected on or after January 1, 2022.

 

          Cybersoft and its business-contract-principal shall maintain records of consumer Requests to Know and Access and how such requests were responded to under reasonable security procedures and practices for at least 24 months.

 

​

Verifiable Consumer Request

To exercise its consumer rights, a consumer, customer or data subject may submit to Cybersoft a Verifiable Consumer Request by completing the Consumer’s Personal Information Request Form provided for consumer’s convenience on the Cybersoft’s Website at https://www.cybersoftbpo.com/consumer-personal-information or by emailing to consumerprivacy@cybersoftbpo.com a request containing the minimum information set forth in the aforementioned request form.

 

           If the consumer has an account with the business-contract-principal, said  business-contract-principal may require the consumer to use that account to submit a Verifiable Consumer Request.

 

      A consumer, customer or data subject may be represented by an authorized agent in submitting a request. To protect consumer privacy and maintain data security, a completed and notarized Consumer’s Authorization of Authorized Agent Form downloadable from https://www.cybersoftbpo.com/privacy-policy-2024/#forms is required to be submitted along with a Consumer’s Personal Information Request Form and completed Declaration of Consumer’s Identity Form available at https://www.cybersoftbpo.com/declaration-of-consumer-identity and Declaration of Authorized Agent’s Identity Form available at https://www.cybersoftbpo.com/authorized-agent-identity.

 

           A consumer shall be given a confirmation of the receipt of the request and information about how the request will be processed no later than 10 business days after a request is received.

​

           A Verifiable Consumer Request shall not extend to personal information about the consumer that belongs to, or that the business-contract-principal maintains on behalf of, another natural person.

​

           If requests from a consumer, customer or data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the business-contract-principal may charge a reasonable fee, taking into account the administrative costs of providing the information or communication, or taking the action requested. Or, the business-contract-principal may refuse to act on the request and notify the consumer of the reason for refusing the request. In either case, the business-contract-principal shall bear the burden of demonstrating that a consumer request is manifestly unfounded or excessive or requires disproportionate effort.

​

     Records of Verifiable Consumer Requests are maintained under reasonable security procedures for at least 24 months.

 

​

Verification of Consumer Identity​

To protect consumer privacy and maintain data security, the person making a Verifiable Consumer Request shall be verified to be the consumer about whom the personal information was collected.

​

          Verification of Consumer Identity shall be done by requiring that a completed Declaration of Consumer’s Identity Form be submitted along with a Consumer’s Personal Information Request Form. A downloadable Declaration of Consumer’s Identity Form is available at https://www.cybersoftbpo.com/privacy-policy-2024/#forms. In case the consumer is represented by an authorized agent, a completed Declaration of Authorized Agent’s Identity Form is available at https://www.cybersoftbpo.com/authorized-agent-identity and shall be required to be submitted by the authorized agent.

​

          Cybersoft’s business-contract-principal may seek the authentication of the consumer that is reasonable in light of the nature of the personal information requested, but shall not require the consumer to create an account with the business-contract-principal in order to make a Verifiable Consumer Request. A fee for the verification consumer identity shall not be required. For example, a requestor shall not be required to furnish a notarized affidavit to verify consumer identity unless business-contract-principal pays for the cost of notarization.

 

      To verify a consumer's identity, Cybersoft’s business-contract-principal shall, whenever feasible, match the identifying information provided by the requestor to the personal information of the consumer already maintained by the business-contract-principal.
​

  • A request to know and access categories of personal information shall require verification to a reasonable degree of certainty which may include matching at least two data points provided by the requestor with data points maintained by the business.
     

  • A request to know and access specific pieces of personal information shall require verification to a reasonably high degree of certainty which may include matching at least three pieces of personal information provided by the requestor with personal information maintained by the business.
     

  • A request to delete or a request to correct shall require verification to a reasonable or reasonably high degree of certainty depending on the sensitivity of the personal information and the risk of harm to the consumer posed by unauthorized deletion. Cybersoft’s business-contract-principal shall act in good faith when determining the appropriate standard to apply.
     

  • If Cybersoft’s business-contract-principal suspects fraudulent or malicious activity on or from a password-protected account, the business-contract-principal shall not comply with a consumer's request to know and access, request to delete or request to correct inaccurate personal information until further verification procedures determine that the consumer request is authentic and the consumer making the request is the person about whom the business-contract-principal has collected information.
     

  • Cybersoft’s business-contract-principal may rely on representations made in a request to establish a consumer’s rights with respect to personal information and is under no legal requirement to seek out other persons that may have or claim to have any right to the personal information. The business-contract-principal is under no legal obligation to take any action in the event of a dispute between or among persons claiming rights to personal information in the business-contract-principal's possession.

 

Records of signed Declarations are maintained under reasonable security procedures for at least 24 months.

​

​

Denial of Request​

A request shall be denied if the identity of requestor as consumer cannot be established. Cybersoft’s business-contract-principal shall issue the denial of request in writing to be delivered to the requestor by mail or electronically in the mode the request was received.

 

​

Categories of Personal Information

A consumer shall have the right to request that a business that collects personal information about the consumer disclose to the consumer the categories of the personal information it has collected about the consumer.

​

      In responding to the request, disclosure shall cover categories of personal information collected within 12 months preceding the receipt of the request.

 

           Pursuant to its written contracts with its business-contract-principals, Cybersoft collects data about business organizations which concomitantly contain publicly available personal information of its business professionals falling under any of the following categories:​

  • Identifiers: Examples of this information on business professionals include contact information such as real name, alias, job title, address, phone number, fax number, e-mail address, domain names, or other similar identifiers.

  • Commercial Information: Examples of this information on businesses include company profiles and statistics, including number of employees; assets, net worth; and business relationships.

  • Geolocation Data: Examples of this information on businesses include territories, locations and geographical operation histories of companies, subsidiaries, affiliates, and lines of business.

  • Professional Information: Examples of this information on business professionals include background profiles and information regarding company management, such as beneficial ownership/persons of significant control, and the educational and career histories of company principals.

 

Personal information does not include information excluded from the CCPA’s scope, such as:

  • Health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data;

  • Personal information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FCRA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver’s Privacy Protection Act of 1994.

 

​

Disclaimers by Cybersoft​

Pursuant to written contracts entered into between Cybersoft and business-contract-principals, Cybersoft, as a service provider on behalf of a business-contract-principal, Cybersoft captures data elements specified and defined by the business-contract-principal from pre-designated source documents containing data about business organizations which concomitantly contain publicly available personal information of its business professionals it then converts to a secure encrypted format indicated by the business-contract-principal for delivery solely to the business-contract-principal through the electronic transmission mechanism chosen by the business-contract-principal.

              In view of the foregoing, the following disclaimers are being made by Cybersoft:

  • Cybersoft only uses, i.e. collects and processes, publicly available personal information reasonably necessary and proportionate to perform data analytic services pursuant to written contracts, resulting processed data of which are disclosed solely to its business-contract-principals and not to any third party.

  • Cybersoft has not sold or shared consumers’ personal information to a third party in the preceding 12 months.

  • Cybersoft has not disclosed consumer’s personal information for a business purpose to a third party in the preceding 12 months.

  • Cybersoft does not sell the personal information of consumers actually known to be less than 16 years of age.

  • Cybersoft does not buy, receive for commercial purposes or make available for commercial purposes the personal information of 10,000,000 or more consumers in a calendar year.

 

​

Categories of Sources of Personal Information​

A consumer shall have the right to request that a business that collects personal information about the consumer disclose to the consumer the categories of sources from which the personal information is collected.

​

        Cybersoft is a service provider that performs data collection and processing pursuant to written contracts with business-contract-principals engaged in business data services and data analytics services. On behalf of its business-contract-principals, Cybersoft acquires pre-designated source documents containing data about business organizations which concomitantly contain publicly available personal information of its business professionals gathered from various data suppliers selected and engaged by its business-contract-principals. The sources of personal information fall under any of the following categories:

  • Data vendors

  • Governmental and administrative public recorders

  • Courts, regulatory bodies and law enforcement agencies

  • Public sector information and company registrars

  • Media

          Cybersoft updates data collected about subject business organizations including collected publicly available personal information of its business professionals by calling the business organizations concerned.

 

​

Consumers’ Right to Know What Personal Information Is Disclosed and to Whom

A consumer has the right to request a business that discloses personal information for a business purpose disclose to that consumer:

(1) Categories the personal information of the consumer that the business disclosed for a business purpose during the applicable period of time in the preceding 12 months

(2) Categories of third parties to whom the consumer’s personal information was disclosed for a business purpose during the applicable period of time in the preceding 12 months.
 

         To exercise this consumer right, a consumer may submit to Cybersoft a Verifiable Consumer Request to know what personal information is disclosed and to whom. (See Verifiable Request Section) As a service provider, Cybersoft is not required to comply with a Verifiable Consumer Request that is submitted by a consumer or a consumer’s authorized agent directly to Cybersoft to the extent that Cybersoft has collected personal information about the consumer in its role as a service provider. Instead, Cybersoft shall forward all Verifiable Consumer Requests that are received by it to the business with which it has a contractual relationship no later than 3 days from receipt.

 

      Within 10 business days after receiving a Verifiable Consumer Request, the business-contract-principal will confirm to the consumer the receipt of the request and provide information about how the request will be processed. A consumer can only make a Verifiable Consumer Request to know what personal information is disclosed and to whom twice within a 12-month period. In all proper cases where Cybersoft’s business-contract-principal has verified a consumer’s Verifiable Consumer Request to know what personal information is disclosed and to whom and the consumer’s right thereto (See Verification of Consumer Identity Section), business-contract-principal shall respond free of charge within 45 days of receiving a verifiable consumer request from the consumer. The period to respond to the request may be extended once by an additional 45 days when reasonably necessary, notice and reason of which shall be given to the consumer.

 

          In response to a Request to Know What Personal Information Is Disclosed and to Whom, the business-contract-principal shall furnish by category or categories the personal information that are not publicly available that were collected about the consumer for the applicable period of time by reference to the enumerated category or categories that most closely describes said collected personal information that are not publicly available; the categories of sources from which the consumer’s personal information that are not publicly available were collected; the business or commercial purpose for collecting and disclosing the consumer’s personal information that are not publicly available; the categories of third parties to whom the business-contract-principal discloses the consumer’s personal information that are not publicly available; and, specific pieces of personal information that are not publicly available. “Specific pieces of information” do not include data generated to help ensure security and integrity or as prescribed by regulation.

 

          Accessed information shall be in writing and in a format that is easily understandable to the consumer, and to the extent technically feasible, in a structured, commonly used, machine-readable format that may also be transmitted to another entity at the consumer’s request without hindrance. These shall be delivered to the consumer through the consumer’s account with the business-contract-principal if the consumer maintains an account with the business-contract-principal, or by mail or electronically at the consumer’s option if the consumer does not maintain an account with the business-contract-principal.

 

      Accessed information shall cover the 12-month period preceding Cybersoft’s business-contract-principal’s receipt of the Verifiable Consumer Request to know what personal information is disclosed and to whom. A consumer may request access to such information beyond the 12-month period, and the business-contract-principal shall be so required unless doing so proves impossible or would involve a disproportionate effort. A consumer’s right to request access to information beyond the 12-month period, and a business-contract-principal’s obligation to furnish such information, shall only apply to personal information that are not publicly available collected on or after January 1, 2022.


          Cybersoft and its business-contract-principal shall maintain records of consumer Requests to Know What Personal Information Is Disclosed and to Whom and how such requests were responded to under reasonable security procedures and practices for at least 24 months.

 

​

Consumers’ Right to Opt-Out of Sale or Sharing of Personal Information

A consumer has the right to opt-out and direct a business that sells or shares personal information about the consumer to third parties not to sell or share the consumer’s personal information.

 

          Cybersoft does not sell or share personal information. Accordingly, Cybersoft is covered by the exemption under Section 7013(g) of CCPA Regulations, as amended. Cybersoft is not required to post a Notice of Right to Opt-out of Sale/Sharing and furnish a “Do Not Sell or Share My Personal Information” Link or provide a method to opt-out.

 

          Under the PDPO, data subjects covered by Cybersoft’s written agreements with data users which do not involve direct marketing, as such, are not extended the right to object or opt out of disclosures of their personal data to Cybersoft.

 

           Under the GLBA, the Section 14 Exception applies to Cybersoft’s customers and consumers as provided in 16 CFR § 313.14(a)(1). For this reason, Cybersoft’s customers and consumers have no right to opt out of disclosures made to Cybersoft of their Nonpublic Personal Information (NPI).

 

 

Consumer’s Right to Delete Personal Information

A consumer has the right to request that a business delete any personal information about the consumer which the business has collected for a business purpose.

 

         To exercise this consumer right, a consumer may submit to Cybersoft a Verifiable Consumer Request to delete personal information. (See Verifiable Request Section) As a service provider, Cybersoft is not required to comply with a Verifiable Consumer Request that is submitted by a consumer or a consumer’s authorized agent directly to Cybersoft to the extent that Cybersoft has collected personal information about the consumer in its role as a service provider. Instead, Cybersoft shall forward the Verifiable Consumer Request received by it to the business with which it has a contractual relationship no later than 3 days from receipt.

 

      Within 10 business days after receiving a Verifiable Consumer Request, the business-contract-principal will confirm to the consumer the receipt of the request and provide information about how the request will be processed. A consumer can only make a Verifiable Consumer Request to know and access twice within a 12-month period. In all proper cases where Cybersoft’s business-contract-principal has verified a consumer’s Verifiable Consumer Request to delete (See Verification of Consumer Identity Section), business-contract-principal shall respond within 45 days of receiving the request from the consumer. If the business-contact-principal stores any personal information on archived or backup systems, it may delay compliance with the consumer's request to delete, with respect to data stored on the archived or backup system, until the archived or backup system relating to that data is restored to an active system. The period to respond to the request may be extended once by an additional 45 days when reasonably necessary, notice and reason of which shall be given to the consumer.

 

       To comply with consumer’s request to delete, business-contract-principal and Cybersoft, upon notification as service provider, shall permanently and completely erase the personal information from their existing systems except from their archived or backup systems, de-identify the personal information, or aggregate the consumer information.

 

        The business-contract-principal and Cybersoft shall comply with a consumer’s request to delete a consumer’s personal information unless an exception applies under law, e.g. Section 1798.105(d) of CCPA, as amended.

 

       In case a consumer’s request to delete is denied in whole or in part, business-contract-principal shall do all of the following:

(1) Provide to the consumer a detailed explanation of the basis for the denial, including any conflict with federal or state law, exception to the CCPA, or factual basis for contending that compliance would be impossible or involve disproportionate effort, unless prohibited from doing so by law.

(2) Delete the consumer’s personal information that is not subject to the exception.

(3) Not use the consumer’s personal information retained for any other purpose than provided for by that exception; and

(4) Instruct its service providers and contractors to delete the consumer’s personal information that is not subject to the exception and to not use the consumer’s personal information retained for any purpose other than the purpose provided for by that exception.

(5) Give the consumer a Notice of Right to Opt-out of Sale/Sharing or an Opt-out link if the business-contract principal sells or shares consumer’s personal information.
 

          Cybersoft’s business-contract-principal shall inform consumer of how the request to delete was handled. Consumer shall, likewise, be notified that records of consumer Requests to Delete Personal Information and accounts of how the requests were handled shall be maintained under reasonable security procedures and practices for at least 24 months for purposes of ensuring that the consumer’s personal information remains deleted from its records and preventing its sale or use.

 

          Under the GDPR, a data subject is granted the right to erasure of personal data by a data controller, free of charge, which applies to specific grounds, such as where consent of the data subject is withdrawn and there is no other legal ground for processing, or the personal data is no longer necessary for the purpose of which it was collected.

 

          Under the PDPO, data subjects are not granted the specific right to request the erasure or deletion of personal data. However, a data user must take all practicable steps to erase personal data held by the data user where the data is no longer required for the purpose (including any directly related purpose) for which the data was used unless (a) any such erasure is prohibited under any law; or (b) it is in the public interest (including historical interest) for the data not to be erased.

 

 

Consumer’s Right to Correct Inaccurate Personal Information

A consumer has the right to request a business that maintains inaccurate personal information about the consumer to correct that inaccurate personal information, taking into account the nature of the personal information and the purposes of the processing of the personal information.

 

         To exercise this consumer right, a consumer may submit to Cybersoft a Verifiable Consumer Request to correct inaccurate personal information. (See Verifiable Consumer Request Section) As a service provider, Cybersoft is not required to comply with a Verifiable Consumer Request that is submitted by a consumer or a consumer’s authorized agent directly to Cybersoft to the extent that Cybersoft has collected personal information about the consumer in its role as a service provider. Instead, Cybersoft shall forward all Verifiable Consumer Requests that are received by it to the business with which it has a contractual relationship no later than 3 days from receipt.

 

      Within 10 business days after receiving a Verifiable Consumer Request, the business-contract-principal will confirm to the consumer the receipt of the request and provide information about how the request will be processed. A consumer can only make a Verifiable Consumer Request to know and access twice within a 12-month period. In all proper cases where Cybersoft’s business-contract-principal has verified a consumer’s Verifiable Consumer Request to correct inaccurate personal information and the consumer’s right thereto (See Verification of Consumer Identity Section), business-contract-principal shall respond within 45 days of receiving the request from the consumer. If any personal information that is the subject of the request to correct is stored on archived or backup systems, it may delay compliance with the consumer’s request to correct, with respect to data stored on the archived or backup system, until the archived or backup system relating to that data is restored to an active system or is next accessed or used. The period to respond to the request may be extended once by an additional 45 days when reasonably necessary, notice and reason of which shall be given to the consumer.

 

         To determine the accuracy of the personal information that is the subject of a consumer’s request to correct, the totality of the circumstances relating to the contested personal information shall be considered including the nature of the personal information, e.g. objective, subjective, unstructured, sensitive, how the business-contract-principal obtained the contested information and the documentation relating to the accuracy of the information whether provided by the consumer, the business, or another source.

 

        When the personal information sought for correction is a consumer’s Social Security number, driver’s license number or other government-issued identification number, financial account number, any health insurance or medical identification number, an account password, security questions and answers, or unique biometric data generated from measurements or technical analysis of human characteristics, no disclosure shall be made, pursuant to CCPA Regulations, as amended.

 

         The request shall be denied if there is a good-faith, reasonable, and documented belief that the request to correct is fraudulent or abusive. In communicating the denial of the request to consumer, the business-contract-principal shall inform the consumer of the basis for the denial such as conflict with federal or state law, exception to the CCPA, inadequacy in the required documentation, or contention that compliance proves impossible or involves disproportionate effort which will be duly explained.

 

       If a correction is in order, business-contract-principal shall use commercially reasonable efforts to correct the inaccurate personal information at issue on its existing systems, instruct Cybersoft to do the same, and inform the consumer. In addition, where Cybersoft and its business-contract-principal are not the source of the information that the consumer contends is inaccurate, the consumer shall be provided with the name of the source of the alleged inaccurate information.

 

          Upon consumer’s request, the business-contract-principal shall disclose specific pieces of personal information that business-contract-principal has collected and maintains about the consumer to allow the consumer to confirm that the business has corrected the inaccurate information that was the subject of the consumer’s request to correct. This disclosure shall not be counted against or diminish the two-request limit within a 12-month period on consumers.

 

        Cybersoft and its business-contract-principal shall maintain for at least 24 months, under reasonable security procedures and practices, the records of consumer Requests to Correct Inaccurate Personal Information, related documentations and accounts of how the requests were handled.

 

          Under the PDPO, where the person from whom personal data is or is to be collected is the data subject, all practicable steps shall be taken by data user to ensure that he is explicitly informed on or before first use of the data for the purpose for which it was collected and of his rights to request access to and to request the correction of the data.

 

 

Consumer’s Right to Limit Use and Disclosure of Sensitive Personal Information

A consumer has the right to direct a business that collects sensitive personal information about the consumer to limit its use and disclosure of the consumer’s sensitive personal information, and has the right to be furnished a method for submitting a request to limit.

 

     Cybersoft, as a service provider pursuant to written contracts with business-contract-principals, uses sensitive personal information to perform services on behalf of its business-contract-principals. As such, Cybersoft is covered by the exemption under Section 7027(m) of CCPA Regulations, as amended. Cybersoft is not required to post a Notice of Right to Limit and furnish a “Limit the Use of My Sensitive Personal Information” link or provide a method for submitting a request to limit.

 

​

Non-Discrimination

Cybersoft does not discriminate against any consumer, customer or data subject for exercising consumer rights under the CCPA, as amended.

 

          The denial of a consumer’s, customer’s or data subject’s request to know, obtain disclosure of, correct, or delete personal information, or limit the use or disclosure of sensitive personal information for reasons permitted by the CCPA, as amended, or CCPA Regulations, as amended, is not discriminatory.

 

 

Authorized Agent

         An authorized agent may represent a consumer, customer or data subject in submitting a request to know, obtain the disclosure of, correct, or delete a consumer’s, customer’s or data subject’s processed or in-process personal information that are not publicly available, or limit the use or disclosure of a consumer’s, customer’s or data subject’s processed or in-process sensitive personal information that are not publicly available. To protect consumer privacy and maintain data security, a completed and notarized Consumer’s Authorization of Authorized Agent Form downloadable from https://www.cybersoftbpo.com/privacy-policy-2024/#forms shall be required to be submitted along with a Consumer’s Personal Information Request Form and completed Declaration of Consumer’s Identity Form available at https://www.cybersoftbpo.com/declaration-of-consumer-identity and Declaration of Authorized Agent’s Identity Form available at https://www.cybersoftbpo.com/authorized-agent-identity.

 

​

Amendments to Privacy Policy​

Cybersoft reserves the right to modify and revise this Privacy Policy at its discretion and at any time. Should modifications and revisions be made, the modified and revised Privacy Policy shall be posted on the Website at https://www.cybersoftbpo.com and the effective date of the Privacy Policy will be updated.

 

 

Contact Information​

Please send any questions or comments about the (a) Privacy Policy of Cybersoft, Inc. or

(b) Consumer’s Personal Information Request Form via the Contact Us link on the Cybersoft Website at https://www.cybersoftbpo.com or e-mail to consumerprivacy@cybersoftbpo.com or our data controller and data protection officer Rommel Bernardo at rommel.bernardo@cybersoftbpo.com.

 

Click here for a downloadable PDF version of this Privacy Policy of Cybersoft, Inc.

Click here for a downloadable PDF version of Consumer’s Personal Information Request Form

Click here for a downloadable PDF version of Declaration of Consumer’s Identity Form

Click here for a downloadable PDF version of Consumer’s Authorization of Authorized Agent Form

Click here for a downloadable PDF version of Declaration of Authorized Agent’s Identity Form

forms
bottom of page