Privacy Plan - Snow Leopard Security
Privacy Policy & Data Protection Plan
Effective Date: 1/10/2026
Last Updated: 1/10/2026
Company: Snow Leopard Security
Website: snowleopardsecurity.com
Contact: inquiries@snowleopardsecurity.com
1. Introduction
Snow Leopard Security ("we," "our," or "us") is committed to protecting the privacy and security of personal information. This Privacy Plan describes how we collect, use, disclose, and safeguard personal information in connection with our information security consulting services, including fractional vCISO services, compliance gap analysis, policy automation, and risk management services.
This Privacy Plan applies to:
- Our website (snowleopardsecurity.com)
- Our services and consulting engagements
- Communications with clients and prospects
- Marketing and business development activities
2. Information We Collect
2.1 Information You Provide to Us
Client Information:
- Name, job title, company name, business email address, business phone number
- Billing and payment information
- Information about your organization's security posture and compliance needs
- Documents and data shared during consulting engagements
- Responses to questionnaires and assessments
Prospect Information:
- Name, email address, company name, job title
- Information provided through contact forms, consultation requests, or inquiries
- Information shared during free consultations or assessments
Website Information:
- Information submitted through contact forms
- Newsletter or content subscription information
- Information provided when downloading resources (whitepapers, checklists, etc.)
2.2 Information We Collect Automatically
Website Usage:
- IP address, browser type, device information
- Pages visited, time spent on pages, click patterns
- Referring website or search terms
- Cookies and similar tracking technologies (see Cookie Policy section)
Service Usage:
- Log files from our services and tools
- System and application logs
- Error reports and diagnostic information
2.3 Information from Third Parties
- Business information from public sources
- Information from business partners or service providers
- Information from professional networks (LinkedIn, etc.) when you connect with us
3. How We Use Your Information
3.1 Service Delivery
- Provide consulting services, gap analysis, and compliance assessments
- Generate security policies, risk registers, and compliance documentation
- Deliver fractional vCISO services and security leadership
- Process payments and manage client relationships
- Communicate about services, projects, and engagements
3.2 Business Operations
- Respond to inquiries and consultation requests
- Send requested information, resources, or marketing communications (with consent)
- Improve our services and website
- Conduct business analytics and reporting
- Comply with legal obligations and enforce agreements
3.3 Marketing and Communications
- Send newsletters, updates, and educational content (with opt-in consent)
- Invite you to webinars, events, or educational sessions
- Share relevant security and compliance information
- Promote our services (you can opt-out at any time)
4. Legal Basis for Processing (GDPR)
For individuals in the European Economic Area (EEA), we process personal information based on:
- Contract Performance: To fulfill our consulting agreements and provide services
- Legitimate Interests: For business operations, marketing (with opt-out rights), and service improvement
- Consent: For marketing communications and optional data collection
- Legal Obligation: To comply with applicable laws and regulations
5. Information Sharing and Disclosure
5.1 We Do Not Sell Personal Information
Snow Leopard Security does not sell, rent, or trade personal information to third parties.
5.2 Service Providers
We may share information with trusted service providers who assist us in:
- Payment processing
- Email delivery and marketing services
- Cloud hosting and data storage
- Analytics and website services
- Legal, accounting, or professional services
These service providers are contractually obligated to protect your information and use it only for specified purposes.
5.3 Business Transfers
In the event of a merger, acquisition, or sale of assets, personal information may be transferred as part of the transaction, subject to the same privacy protections.
5.4 Legal Requirements
We may disclose information when required by law, court order, or government regulation, or to:
- Protect our rights, property, or safety
- Respond to legal process or government requests
- Enforce our agreements or policies
- Prevent fraud or security threats
5.5 With Your Consent
We may share information with your explicit consent or at your direction.
6. Data Security
6.1 Security Measures
As an information security consulting firm, we implement industry-standard security measures to protect personal information:
- Encryption: Data encrypted in transit (TLS/SSL) and at rest
- Access Controls: Role-based access controls and authentication
- Network Security: Firewalls, intrusion detection, and monitoring
- Regular Assessments: Security assessments and vulnerability management
- Employee Training: Security awareness training for all personnel
- Incident Response: Procedures for detecting and responding to security incidents
6.2 Data Retention
We retain personal information for as long as necessary to:
- Provide our services and fulfill contractual obligations
- Comply with legal and regulatory requirements
- Resolve disputes and enforce agreements
- Support business operations and analytics
Retention Periods:
- Client data: Duration of engagement + 7 years (for legal/regulatory compliance)
- Prospect data: Until opt-out or 3 years of inactivity
- Marketing data: Until opt-out or consent withdrawal
- Website analytics: Aggregated and anonymized data may be retained longer
6.3 Data Breach Notification
In the event of a data breach affecting personal information, we will:
- Investigate and contain the breach immediately
- Notify affected individuals and relevant authorities as required by law
- Provide information about the breach, affected data, and remediation steps
- Comply with applicable breach notification requirements (GDPR, CCPA, state laws)
7. Your Privacy Rights
7.1 General Rights
Depending on your location, you may have the following rights:
- Access: Request a copy of personal information we hold about you
- Correction: Request correction of inaccurate or incomplete information
- Deletion: Request deletion of your personal information (subject to legal requirements)
- Portability: Request transfer of your data to another service provider
- Objection: Object to processing of your personal information
- Restriction: Request restriction of processing in certain circumstances
- Withdraw Consent: Withdraw consent for processing based on consent
7.2 California Privacy Rights (CCPA/CPRA)
California residents have additional rights:
- Right to Know: Request disclosure of categories and specific pieces of personal information collected, used, disclosed, or sold
- Right to Delete: Request deletion of personal information (subject to exceptions)
- Right to Opt-Out: Opt-out of sale or sharing of personal information (we do not sell data)
- Right to Non-Discrimination: Exercise privacy rights without discrimination
- Right to Correct: Request correction of inaccurate personal information
- Right to Limit: Limit use of sensitive personal information (we use it only for specified purposes)
7.3 European Privacy Rights (GDPR)
Individuals in the EEA have rights including:
- Right of Access: Obtain confirmation of processing and access to personal data
- Right to Rectification: Correct inaccurate or incomplete data
- Right to Erasure ("Right to be Forgotten"): Request deletion under certain circumstances
- Right to Restrict Processing: Restrict processing in certain situations
- Right to Data Portability: Receive data in a structured, machine-readable format
- Right to Object: Object to processing based on legitimate interests
- Right to Withdraw Consent: Withdraw consent at any time
7.4 How to Exercise Your Rights
To exercise your privacy rights, contact us at:
Email: privacy@snowleopardsecurity.com
Mail: Snow Leopard Security
Attn: Privacy Officer
[Your Business Address]
Fort Worth, TX [Zip Code]
We will respond to your request within 30 days (or as required by applicable law). We may need to verify your identity before processing your request.
---
8. Cookies and Tracking Technologies
8.1 Cookies We Use
Essential Cookies:
- Required for website functionality and security
- Cannot be disabled
Analytics Cookies:
- Help us understand website usage and improve user experience
- May include Google Analytics or similar services
Marketing Cookies:
- Used for advertising and marketing purposes
- Require consent (you can opt-out)
8.2 Cookie Management
You can manage cookie preferences through:
- Your browser settings
- Our cookie consent banner (if applicable)
- Opt-out tools provided by third-party services
9. International Data Transfers
9.1 Data Transfers
Snow Leopard Security is based in the United States. If you are located outside the U.S., your information may be transferred to, stored in, and processed in the United States.
9.2 Transfer Safeguards
For transfers from the EEA, we implement appropriate safeguards including:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Adequacy decisions where applicable
- Other legally recognized transfer mechanisms
10. Children's Privacy
Our services are not directed to individuals under 18 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected information from a child, we will take steps to delete it promptly.
11. Third-Party Links
Our website may contain links to third-party websites or services. We are not responsible for the privacy practices of third parties. We encourage you to review the privacy policies of any third-party sites you visit.
12. Do Not Track Signals
Some browsers offer "Do Not Track" (DNT) signals. We do not currently respond to DNT signals, but we respect your privacy choices through other mechanisms described in this Privacy Plan.
13. Updates to This Privacy Plan
We may update this Privacy Plan periodically to reflect changes in our practices, services, or legal requirements. We will:
- Post the updated Privacy Plan on our website
- Update the "Last Updated" date
- Notify you of material changes via email or website notice
- Obtain consent where required by law
14. Contact Information
Privacy Inquiries
For questions, concerns, or requests regarding this Privacy Plan or our privacy practices:
Privacy Officer: Jess Duncan
Snow Leopard Security
Email: privacy@snowleopardsecurity.com
Fort Worth, TX 76044
General Inquiries
Business Inquiries:
Email: inquiries@snowleopardsecurity.com
Website: snowleopardsecurity.com
15. Compliance Framework Alignment
This Privacy Plan is designed to comply with:
- General Data Protection Regulation (GDPR) - European Union
- California Consumer Privacy Act (CCPA/CPRA) - California, USA
- Virginia Consumer Data Protection Act (VCDPA) - Virginia, USA
- Colorado Privacy Act (CPA) - Colorado, USA
- Connecticut Data Privacy Act (CTDPA) - Connecticut, USA
- Other applicable state and federal privacy laws
16. Data Processing Addendum (DPA)
For clients subject to GDPR or other data protection laws, we offer a Data Processing Addendum that:
- Defines roles (data controller vs. data processor)
- Specifies processing purposes and data categories
- Outlines security measures and breach notification procedures
- Addresses international data transfers
- Establishes data subject rights and assistance obligations
Contact us to request a DPA for your engagement.
17. Privacy by Design
Snow Leopard Security follows privacy by design principles:
- Proactive: Privacy built into systems and processes from the start
- Privacy as Default: Default settings protect privacy
- Full Functionality: Privacy doesn't compromise functionality
- End-to-End Security: Security throughout the data lifecycle
- Visibility and Transparency: Clear privacy practices
- Respect for User Privacy: User-centric approach
18. Vendor and Third-Party Management
18.1 Vendor Privacy Requirements
We require vendors and service providers to:
- Maintain appropriate security measures
- Comply with applicable privacy laws
- Use data only for specified purposes
- Notify us of security incidents
- Provide data processing agreements where required
18.2 Vendor Assessment
We assess vendors for privacy and security compliance as part of our third-party risk management program.
19. Training and Awareness
All Snow Leopard Security personnel receive:
- Privacy and data protection training
- Security awareness training
- Regular updates on privacy law changes
- Guidance on handling personal information
20. Incident Response
20.1 Privacy Incident Procedures
In the event of a privacy incident:
1. Detection and Assessment: Identify and assess the incident
2. Containment: Contain the incident to prevent further impact
3. Investigation: Investigate the cause and scope
4. Notification: Notify affected individuals and authorities as required
5. Remediation: Implement corrective measures
6. Documentation: Document the incident and response
20.2 Breach Notification Timeline
- GDPR: Notify supervisory authority within 72 hours (if high risk)
- CCPA: Notify affected individuals without undue delay
- State Laws: Comply with applicable state breach notification requirements
Appendix A: Data Categories
Personal Information We May Collect:
Identifiers:
- Name, email address, phone number, mailing address
- IP address, device identifiers
- Account usernames or IDs
Commercial Information:
- Services purchased or considered
- Payment and billing information
- Transaction history
Professional Information:
- Job title, company name, industry
- Professional background and experience
Internet Activity:
- Website usage data
- Browsing history and interactions
- Cookie and tracking data
Sensitive Information (Limited):
- Security assessment data (with explicit consent)
- Compliance-related information (as necessary for services)
Appendix B: Service-Specific Privacy
Consulting Engagements
During consulting engagements, we may process:
- Organizational security and compliance data
- Risk assessment information
- Policy and procedure documentation
- Technical system information
This information is:
- Used solely for service delivery
- Protected by confidentiality agreements
- Retained per engagement terms
- Secured with appropriate technical and organizational measures
Fractional vCISO Services
vCISO services may involve:
- Access to security systems and tools
- Review of security documentation
- Analysis of security incidents
- Strategic security planning
All access and information is:
- Limited to what's necessary for services
- Protected by confidentiality obligations
- Secured with appropriate access controls
- Documented and auditable
Appendix C: Compliance Certifications
Snow Leopard Security maintains compliance with:
- SOC 2 Type II (when achieved)
- ISO 27001 (when achieved)
- NIST CSF alignment
- HIPAA (for healthcare-related services, if applicable)
Our privacy practices align with these frameworks and are regularly assessed and updated.
Approved By: Jess Duncan
Document Control
Version: 1.0
Effective Date: 1/10/2026
Last Reviewed: 1/10/2026
Next Review: 1/11/2026
Owner: Privacy Officer
Approved By: Jess Duncan
