Privacy Policy


WEBAPPS, LLC
Last updated 4/20/2020

Webapps LLC – is the owner of the HitPath® affiliate tracking software and the sole operator of the HitPath Masters Conference. This Privacy Policy (“the Policy”) explains how WebApps, LLC (“the Company”) collects, uses, stores, protects, and in some limited instances shares data, including personal data, generated by WebApps clients and third parties that interact with WebApps and its clients.

WebApps is committed to complete transparency as to how we use your personal data. To that end, if you have any questions regarding this policy, we encourage you to reach out to our Data Protection Officer using the details set out below:

Contact Details

You can contact us as follows:
FAO: Webapps, LLC

Address: 650 Poydras Street, #2800
New Orleans, LA 70130
Telephone: 1-866-882-6201
Email: support@hitpath.com

WebApps reserves the right to modify this Policy at any time. We will notify you of any material changes to the Policy by posting the modified Statement at https://hitpath.com/privacy-policy and changing the Effective Date at the top of the Policy. This Policy is incorporated into the Acceptable Terms of Use and, if you are a WebApps customer, into your License Agreement and the Terms and Conditions of that License Agreement.

A copy of this Policy is available upon request.

How does WebApps collect data?

WebApps collects data in two ways: by interacting directly with a client or user and by receiving data as provided by a client or third party. If you are a client or potential client that is interacting directly with WebApps, you are providing data, including personal data directly to WebApps. This occurs when you sign up for a Hitpath demo and/or for the Hitpath Affiliate Program. When you sign up for any Hitpath service, you are going to be asked to provide certain information such as your name, email address, company name and web address. This method of collection occurs through the registration form.

WebApps also receives information relating to third parties from Clients through the use of the WebApps Software. If, for example, a client utilizes WebApps software to monitor online marketing behavior for certain advertising campaigns, end user data will be forwarded to WebApps through application of the Hitpath software. While WebApps and the end user will never interact directly, that end user is generating information including things like his/her IP address, geolocation, and online behavior. That data is collected by the WebApps Client and then forwarded to WebApps through the Hitpath software so WebApps can provide the Client with a broad range of services utilizing that data. In those situations, it is the Client who determines the purpose and means of the processing of the personal data. WebApps and the Client have a written license agreement which governs the nature of that relationship and the obligations of the parties with respect to that personal data, but WebApps does not control what personal data our Clients collect nor how they use it. WebApps does take steps to protect all personal data that it receives from Clients, including the personal data of third parties, but the Client is responsible for ensuring that the personal data is properly collected and protected. WebApps encourages its clients to review their own Privacy Policies and Data Protection Management Systems before collecting any personal data from any person.

In addition to data that you provide to us through voluntary registrations, email correspondence, telephone calls, surveys

What data does WebApps collect?

The data collected by WebApps falls into two categories: Client data and end user data. Client data is provided to WebApps directly by a Client as part of the enrollment process and ongoing relationship needed to facilitate the WebApps License Agreement. End user data is data that is provided to WebApps by Clients.

WebApps collects the following types of information about Client directly from those Clients:

  • Name (or Company Name)
  • Physical Address
  • Email Address
  • IP address
  • Cookies
  • Phone Number
  • Pixel Tags
  • Imprecise Geographic Location Data derived from IP Address
  • Contact person
  • Banking account information/credit card information

WebApps receives the following types of end user information from Clients:

  • IP Address
  • Imprecise Geographic Location Data derived from IP Address
  • Pixel Tags
  • Click data

Why do we collect this data?

We collect this data for a number of reasons. The basis for collection are 1) your consent (if requested and given); 2) to provide services to you under a WebApps License Agreement in the event you are a WebApps Client; 3) where we need to comply with a legal or regulatory obligation; or 4) to further our legitimate business interests.

WebApps is primarily engaged in the business of processing end user data for the benefit of our Clients. This means that in almost all instances, the end user does not interact directly with WebApps. Instead, an end user interacts with one of WebApps’ clients, or more specifically with an advertisement linked directly to a WebApps client either because the Client placed the advertisement or did so through an Affiliate or Publisher, and WebApps then processes the data that is generated by that end user activity. Through the application of the Hitpath software, WebApps is able to provide useful information to its clients relating to the effectiveness of certain advertisements, campaigns, Client Affiliates, and Client Publishers. In this scenario, WebApps is the processor of personal data.

WebApps also collects personal data directly from Clients through Client consent. WebApps collects certain client data such as name, email address, mailing address, IP information, and payment information when a Client signs up with WebApps. WebApps uses that personal data to facilitate the services it provides Client and to act on the contractual relationship between WebApps and client including communicating directly with the Client, processing payment information, providing technical support, and in some limited instance marketing directly to the Client regarding certain available services (unless the Client has opted out of those direct marketing communications).

What does WebApps do with this personal data?

WebApps does a few different things with the personal data it receives. If the personal data is end user Data collected by a client and then provided to WebApps for processing, WebApps processes that information in a number of ways. WebApps processes the data and reports that Data via its Hitpath software showing the effectiveness of advertising campaigns, affiliates, and publishers. This includes reporting on click data for end users that shows the effectiveness of certain advertisement and campaigns as well as general end user behavior associated with those marketing efforts. WebApps makes these reports and processed data available to WebApps clients via the client’s particular instance of the Hitpath software.

If the personal data is Client data that has been voluntarily provided by the Client through its written consent, WebApps uses that information to communicate directly with the Client, to provide technical support, to assist in the Client’s use of that Client’s instance of the Hitpath software, and to directly market to that Client, in the event the Client has not elected to object to those direct marketing efforts.

With whom do we share this personal data?

WebApps relies on third party vendors at times to assist them with the logistical support needed to operate WebApps and the Hitpath software. This includes vendors that providing hosting services, database services, storage, DNS, call provider services, and geo-location services. WebApps limits the information that we provide these third parties to the greatest extent possible. Further, all of our third party vendors have entered into an agreement with WebApps to protect your personal data.

There are some very specific and limited circumstances where WebApps must share personal data with others. WebApps may disclose personal data in the event of suspected fraudulent, malicious, or unlawful activity, or invalid traffic, or if we believe that we are legally required to do so.

What rights do you have to your data?

You have certain rights to your personal data. These rights include the right to be informed, the right to access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability, the right to object, and rights in relation to automated decision making and profiling. These rights are described in detail in the GDPR itself. If you wish to review the source material for these rights you can follow this link. http://data.consilium.europa.eu/doc/document/ST-5419-2016-INIT/en/pdf. If you have any questions regarding these rights or wish to exercise any of these rights, please contact support@hitpath.com. WebApps is committed to protecting and honoring your rights to the treatment, storage, and handling of your personal data.

How do you make a complaint regarding the handling of your data?

As part of the bundle of rights set out above, you have a right to notify the appropriate supervisory authority if there is a problem with the handling of your personal data. Each country in the EU and EAA has a supervisory authority who will field these types of complaints directly.

Children's Online Privacy Protection Act

Webapps, LLC does not market to nor seek users under the age of 13. Information discovered to contain personally identifiable information on an individual under the age of thirteen will be immediately purged and never shared with third parties.

Note to California Users

Individual customers who reside in California and have provided their personal information to us may request information about our disclosures of certain categories of personal information to third parties for their direct marketing purposes. Such requests must be submitted to us at legal@hitpath.com. Within thirty (30) days of receiving such a request, we will provide a list of the categories of personal information disclosed to third parties for third-party direct marketing purposes during the immediately preceding calendar year, along with the names and addresses of these third parties. This request may be made no more than once per calendar year. We reserve our right not to respond to requests submitted other than to the address specified in this paragraph.

Notwithstanding any other provision, we may also engage a data provider who may collect web log data from you (including IP address and information about your browser or operating system), or place or recognize a unique cookie on your browser to enable you to receive customized ads or content. These cookies contain no personally identifiable information. The cookies may reflect de-identified demographic or other data linked to data you voluntarily have submitted to us, e.g., your email address, that we may share with a data provider solely in hashed, non-human readable form. To opt-out of these data provider cookies, please go to www.aboutads.info

Direct Marketing

With your consent, we and/or affiliate companies may sometimes contact you (by email, SMS text, letter or phone) in order to provide targeted marketing about our Services or their services (as the case may be). Such marketing communications will only be sent to you if you have given your consent when you registered for our Services and have not withdrawn such consent.

All marketing emails you receive from us or companies we work with will include specific instructions on how to unsubscribe and you may unsubscribe at any time.

Additionally, you can contact us as directed at the following link to unsubscribe from marketing from us and the companies we work with https://hitpath.com/contact-us

What are cookies and how do we use them?

A cookie is simply a tiny text file containing pieces of data, stored when you visit a website. It’s designed to help websites remember what you did in the past. This can include whether you clicked on particular links or pages or read pages on the site as long as the cookie is valid.

To fit the new regulations, we’ve detailed the cookies used on this website for you to decide whether you want to keep using them or if you would rather delete existing cookies, or even disable the use of cookies on our websites altogether.

WebApps uses three types of cookies.

Necessary Cookies:
These are essential cookies that let you to use the Dashboard and use its features depending on the device you’re using (language, screen performances, OS…). Without them, the quality of your navigation could not be ensured. These cookies don’t collect any information about you that could be used for marketing or remembering where you’ve been on the internet.

Performance Cookies:
These collect information about how you use a website, for instance, which pages you go to most often, and if you get error messages. They don’t collect information that identifies you; all the information is anonymous. It is used only to improve how the website works and how we can provide you with more relevant content.

Third-party Cookies
A third-party cookie is set by someone else. Sometimes targeting cookies are linked to other sites, such as Facebook.

The issue and the use of cookies by third parties are subject to the protection of privacy policies of these third parties. We inform you of the purpose of cookies that we know and means you have to make choices regarding cookies.

If you decide you’re not happy with the use of cookies on the WebApps website or on your instance of the Hitpath software you can easily delete them from the cookie folder of your browser. You can also set your browser to block cookies or to send a warning notice before a cookie is stored on your computer. You can exercise your disagreement by changing the configuration of your browser.

How long is personal data retained?

Different information is used for different purposes, and is subject to different standards and regulations. In general, information is retained for such period of time as is felt necessary to provide you with services you request, to comply with applicable regulations or legislation, and to ensure that you have a reasonable opportunity to access the information. If you no longer consent to us retaining your personal information, you can request that it be removed by contacting us at support@hitpath.com. WebApps Document Retention Policy is available for your review here.

Is your information secure?

WebApps takes necessary precautions to preserve data security, based on the nature of your data and the risks posed by our processing, and in particular to prevent their being impaired, damaged or having unauthorized third parties get access to them (physical protection of premises, authentication procedures for our clients with personal and secure access using confidential identifiers and passwords, logging of connections, encryption of certain data, etc.).

What is GDPR and what is WebApps doing to comply with it?

The General Data Protection Regulation (GDPR) is legislation which was recently adopted by the European Union and which goes into effect on Mary 25, 2018. WebApps has undertaken an extensive audit of its systems including an extensive audit of the data it controls and process, how it obtains and protects that data, and the relationships it has with third party vendors to ensure that the data is secure.

As part of its GDPR Compliance Program, WebApps has updated many of its policies and procedures to ensure full transparency in its treatment of personal data. WebApps relies on privacy by design and privacy by default principles, minimizes the data that it collects, controls, processes, and stores, and has implemented protocol to protect that data including increased awareness of threats to that data, quick response to any security breaches, and notification systems for clients, users, and supervisory authorities as appropriate.

WebApps requires written agreements with its third party vendors ensuring that those vendors are GDPR compliant and are taking adequate steps to process and store personal data. WebApps has also implemented a system to adequately respond to data subject requests relating to any of the data subject rights memorialized in the GDPR including Right to Restrict, Right to be Forgotten, Right to Access, and so on.

We value your opinion. If you have any comments or question about our Privacy Policy, you can email us at support@hitpath.com.

Updates to this policy

WebApps will update this Policy as needed. In the event of such an update, all clients will be provided with the updated Policy via their registered email for the Hitpath software. Additionally, an updated copy of the Policy will be available at www.hitpath.com/privacy-policy.

Acceptable Use Policy


WEBAPPS, LLC
Last updated 04/15/2020

General Terms

This Acceptable Use Policy (“Policy”) describes prohibited uses of hitpath.com (the Site) and the HitPath® affiliate tracking software ( collectively the “Services”) as owned and operated by WebApps, LLC, its subsidiaries and/or affiliates (“WebApps”). This is not an exhaustive list of prohibited activities and WebApps reserves the right to modify this Policy at any time. If you have entered into a License Agreement with WebApps, the terms and conditions of that Agreement shall control in the event of a conflict with this Policy.

For questions regarding this policy, please contact Webapps at support@hitpath.com.

By using the Services or accessing the Site, you agree to the latest version of this Policy. If you violate this policy or authorize or assist others to do so, we may suspend or terminate your use of the Services.

No Illegal, Harmful, or Offensive Use

You may not use, encourage, promote, facilitate or instruct others to use the Services and/or the Site for any illegal, harmful, fraudulent, infringing or offensive use, or to transmit, store, display, distribute or otherwise make available content that is illegal, harmful, fraudulent, infringing or offensive. Prohibited activities include:

  • Any activities that are illegal, that violate the rights of others, or that may be harmful to others, our operations or reputation.
  • Using Hitpath Services to infringe or misappropriate the intellectual property or proprietary rights of others.
  • Using Hitpath Services to store or disseminate harmful content including but not limited to content or other computer technology that may damage, interfere with, surreptitiously intercept, or expropriate any system, program, or data, including viruses Trojan horses, worms, time bombs, or cancelbots. Phishing related emails, content or offers and campaigns directing a user to sites deemed illegal or possibly involved in phishing or identity theft by internet hosts.
  • Unsolicited Commercial Email – Spam. WebApps does not permit spam or forced opt-in when using HitPath® code.
  • Racial, ethnic, political, hate-mongering or otherwise objectionable content.
  • Software Pirating (e.g., Warez) or Hacking or Phishing.
  • Using HitPath® branded URLS.
  • Using Hitpath Services to improperly access information which you are contractually or legally barred from accessing and/or using.
  • Using Hitpath Services to violate contractual obligations with other entities including non-disclosure agreements and non-compete agreements.
  • Using aliases or false identities to hide your true identity.

Access and Online Behavior

You may not use the Services to violate the security or integrity of any network, computer or communication system, software application, or network or computing device (“System”). These prohibited activities include but are not limited to:

  • Allows other persons or entities to access the Services using your credentials or Hitpath Privileges;
  • Monitoring data or traffic on the System without permission;
  • Falsifying origin information in order to gain access the System of the Services in any way other than as specifically permitted under the License Agreement, if applicable.
  • Transferring data available via your instance of the Hitpath Software to any other person.

Monitoring

WebApps reserves the right to monitor your activity when using the Services. In the event that we suspect that your activities violate any law or regulation, we reserve the right to report those activities to appropriate law enforcement officials, regulators or other appropriate third parties. We also may cooperate with appropriate law enforcement agencies, regulators, or other appropriate third parties to help with the investigation and prosecution of illegal conduct by providing network and systems information related to alleged violations of this Policy.

Compliance

You may only use the Services in compliance with the rules, regulations, and laws of each applicable country and/or province where you and/or your publishers or affiliates conduct business.

Miscellaneous

A violation of or an alleged violation of this Policy will result in the immediate termination of your License Agreement, in WebApps’ sole discretion.

Please immediately inform us of any violation of this Policy.

HitPath and GDPR


This page is designed to share with you some information regarding the steps WebApps, LLC d/b/a Hitpath is taking to prepare for the General Data Protection Regulation (or GDPR) that is set to take effect on May 25, 2018. The GDPR is a new and sweeping set of privacy regulations adopted by the European Union that will apply to many businesses based in the United States, including WebApps.

This page will provide you with a brief explanation as to what WebApps is doing to protect your data and to ensure that we comply with the new high standard set by the GDPR.

One of the main steps WebApps is taking to comply with GDPR is to update its Privacy Policy. The Privacy Policy explains what data WebApps collects from you and from other data subjects, how it stores, protects, and uses that data, and your various rights relating to that data. We encourage you to follow this link and to review the updated Privacy Policy which goes into effect on May 24, 2018.

WebApps is also updating its Document Retention Policy, which governs how long WebApps will retain documents, both during the life of your License Agreement and generally throughout the business. These changes will also go into effect on May 24, 2018. We strongly encourage you to review this document carefully as it contains significant changes in policy regarding how long certain information will be available to you regarding your account. The updated Document Retention and Destruction Policy is available via this link.

WebApps has also adopted a General Data Protection Regulation Policy. This policy explains the many additional steps WebApps has taken to comply with GDPR and to protect your data. The General Data Protection Regulation Policy is available for your review via this link.

We will continue to update these Policies from time to time. These policies will be posted on our website as updated and available for your review at any time.

While many of the requirements of GDPR are brand new, WebApps has always been and will continue to be committed to protecting your data. The changes that we are designed not only to comply with the new legislative requirements but also to provide you with the highest levels of service and privacy possible.

We want to bring one significant change to the Acceptable Use Policy to your attention. In effort to minimize the security risk inherent with data collection, WebApps is taking steps to reduce the sheer volume of data that it retains. Under the current License Agreement, as subject to the current Acceptable Use Policy, WebApps maintains all of your user data for as long as your License Agreement remains in effect.

We are modifying that system slightly. Under the new Acceptable Use Policy, WebApps will only retain your data for one year while your License Agreement is in effect. This means that after data has been sitting in your database for a year that data will be automatically purged. You have the option to opt out of this system, as explained in the updated Acceptable Use Policy. If you want us to hold your data for longer during your License Agreement, all you have to do is request that we do so and we will be happy to oblige.

Please reach out to us via our website or your customer service representative if you have any questions regarding these policy changes.

General Data Protection Regulation Policy


WebApps, LLC
Effective May 24, 2018

Policy Statement

WebApps, LLC (“the Company”), is a Louisiana limited liability company. The Company provides a multichannel tracking platform which allows companies, advertisers, advertising agencies, and publisher networks to monitor the activity generated by their respective online marketing activities (“the Services”).

The Company receives personal data in various forms and from various sources in connection with the Services. Customers provide personal data regarding themselves to the Company so that the Company can provide them with the Services. Customers also provide the Company with personal data of other companies and natural persons that is generated by that end user through his online activities and then flows through the Customer to the Company for processing. Under both of these scenarios, the Company at times receives personal data pertaining to natural personal located in the European Union (EU) and the European Economic Area (EEA). As a result of its control and/or processing of this personal data, the Company falls within the scope of the General Data Protection Regulation (“GDPR”).

The purpose of this Policy is to detail the Company’s efforts to comply with the requirements of the GDPR and to ensure the protection and confidentiality of personal data.

Other Policies

The Company has enacted a variety of policies to ensure that it is complying with the requirements of GDPR. Some of these policies have been in place for some time and have been updated whereas other policies have been enacted for the first time in order to comply with GDPR.

These policies are all available for review at your request.

These policies include the following:

  • Privacy Policy
  • Document Retention Policy
  • Acceptable Use Policy
  • Information Security Policy
  • Acceptable Use Policy

Additionally, the Company has amended its contractual relationships to ensure that personal data is appropriately protected. This includes User License Agreements and Data Processing Agreement Addendums. Examples of these documents are also available upon request.

  • GDPR Compliance
  • Responsibility

The Company has not elected to appoint a Data Protection Officer at this time. The Company’s core activities do not consist of processing operations which require regular and systematic monitoring of data subjects in the EU and/or EAA on a large scale. The Company does not process sensitive data relating to criminal convictions and offenses. The CEO of the Company, Samuel S. Prokop, is responsible for ensuring that the Company acts in compliance with the requirements of GDPR and any inquiries on this subject shall be directed to him.

Risk Assessment

The Company’s commitment to minimizing the risk to the personal data it controls and processes is ongoing. To minimize that risk, the Company has implemented an Information Security Policy, Document Retention Policy, Privacy Policy, and Security and Breach Protocols.

The company will also undergo semi-annual Data Protection Impact Assessments. The purpose of these assessments shall be to not only assess the risks facing the company, but also to ensure that the policies that it has implemented to minimize these risks are functional and effective. The Chief Technical Officer shall be responsible for completing the semi-annual DPIA.

Auditing

In additional to the semi-annual DPIA, the Company shall undergo a semi-annual GDPR internal audit. The Company understands that GDPR is new law and as such will likely evolve and change over time. Similarly, new threats and processes will arise which the Company must take into account over time. To that end, the Company will perform a semi-annual GDPR internal audit relying on the GDPR questionnaire published for that purpose by BayLDA. The results of those audits will be retained for no less than three (3) years.

Controller/Processor

The Company operates as a Controller and as a Processor depending on the service provided and the source of the personal data. Customers provide personal data directly to the Company when they sign up for the Services. This data includes information such as Company name, individual name, address, phone number, etc. The Company is the controller of that data as it controls the means by which it is collected, why it is collected, and how it is used.

The Company operates as a processor when Customers provide the Company with information for it to process on their behalf. The Company is in the business of tracking and monitoring behavior relating to certain online marketing and advertising efforts of its Customers. Customers collect data directly from end users and then relay that information through to the Company. The Company then processes that information so it has value and use to the Customer. The Company is only a processor in this scenario as it does not control the means of collection of the data, why it is collected, or how it is used.

Lawful Basis for Processing

The Basis for the Company’s process of information depends on the source of the data and the data subject. When a Customer contracts with the Company for the Services, the Customer is asked to provide certain pieces of personal data to the Company. This information is necessary to establish the Customer’s instance of the Hitpath Software, the Company’s primary product. The Customer consents to the Company’s processing of its personal data at that time.

The Company also processes personal data on the basis of a contract. The Company enters into a License Agreement with each of its customers. In order to fulfill its contractual obligations under the License Agreement, the Company must process some of the Customer’s personal data. This processing is necessary to the operation of the Services offered by the Company and the software will not function correctly without this personal data.

The Company also relies processes Customer personal data on the basis of legitimate interest of fraud prevention. Specifically, the Company has instituted certain security measures to prevent unauthorized access to Customer accounts. The Company processes the personal data provided by the Customer to ensure that the Customer and only the Customer can access its account. This security related processing is necessary to protect the Customer and other data subjects and the individual’s interests do not override this legitimate interest in fraud prevention.

The Company also processes data of other data subjects, including end users, that is provided to it by Customers. The basis for that processing is the legitimate business of the operation of the Company and the provision of the Services to the Customers as well as part of its direct marketing practices. The Company is in the business of taking data that is provided to it by its customers, the controllers of that data, and processing it in a way that allows the customer to understand the value of the Customers online advertising and marketing strategies. The Company has an interest operating its business and in providing an efficient and valuable service to its Customers. The Company does not control the means of collection of the data and relies on its Customers, the controller, to properly notify any end user that it is collecting data at the time of collection. The processing of the personal data of data subjects is necessary for the Company to provide the Services to its Customers and to carry out its business. Further, end users have an expectation that their online activities, particularly their interaction with online advertisements, are being monitored and generating data that is used by advertisers, publishers, and agencies. The interests and fundamental rights of the data subject do not override the legitimate interests of the Company as described herein.

Data Processing Agreements

The Company relies on a number of vendors. It does so both in its capacity as a controller and in its capacity as a processor. The Company relies on vendors to provide a number of services including hosting, servers, geo location, customer intelligence, among others. In order for these vendors to carry out these tasks, the Company must transfer data to them. This data may include personal data of both customers and other data subjects including end users.

In order to ensure that these third party vendors properly protect all data that the Company provides to them, the Company requires these vendors to provide certain assurances regarding their compliance with GDPR. Additionally, the Company requires that each vendor execute a Data Processing Agreement or to adopt terms covered by such a document into existing user agreements.

Data Subject Rights

The Company is keenly aware of the variety of data subject rights memorialized by GDPR. The Company’s handling of personal data is addressed at length in the company’s Privacy Policy which is available on the Company’s website.

Compliance Generally

The Company takes responsibility for complying with the GDPR at the highest management level and through the organization. The company records the steps that it takes to comply with GDPR including implementing a system for regular risk assessments, audits, and the processing of personal data. In addition to implementing certain policies to protect the data it controls and processes, the Company as adopted both privacy by design and privacy by default approaches to ensure that appropriate data protection measures are in place throughout the entire lifecycle of the Company’s processing activities. The Company has increased it security measures to protect this data and has instituted policies to heighten security awareness for its employees. The Company has also instituted policies to ensure that data breaches are quickly recognized and appropriately addressed both with the individuals involved and with the appropriate supervisory authorities.

Document Retention and Destruction Policy


WebApps, LLC
Updated 5/24/2018

Purpose

The purpose of this Policy is to ensure that necessary records and documents of WebApps, LLC (“WebApps” or “the Company”) are adequately protected and maintained and to ensure that records that are no longer needed by the Company or are of no value are discarded at the proper time. This Policy is also for the purpose of aiding employees of the Company in understanding their obligations in retaining electronic documents – including e-mail, Web files, text files, sound and movie files, PDF documents, and all Microsoft Office or other formatted files.

Policy

This Policy represents the Company’s policy regarding the retention and disposal of records and the retention and disposal of electronic documents.

Administration

Attached as Appendix A is a Record Retention Schedule that is approved as the initial maintenance, retention and disposal schedule for physical records of the Company and the retention and disposal schedule of electronic documents. The Data Protection Officer (the “Administrator”) is the officer in charge of the administration of this Policy and the implementation of processes and procedures to ensure that the Record Retention Schedule is followed. The Administrator is also authorized to: make modifications to the Record Retention Schedule from time to time to ensure that it is in compliance with local, state and federal laws and includes the appropriate document and record categories for the Company; monitor local, state and federal laws affecting record retention; annually review the record retention and disposal program; consult with outside counsel, and monitor compliance with this Policy.

Suspension of Record Disposal In Event of Litigation or Claims

In the event the Company is served with any subpoena or request for documents or any employee becomes aware of a governmental investigation or audit concerning the Company or the commencement of any litigation against or concerning the Company, such employee shall inform the Administrator and any further disposal of documents shall be suspended until shall time as the Administrator, with the advice of counsel, determines otherwise. The Administrator shall take such steps as are necessary to promptly inform all staff of any suspension in the further disposal of documents.

Applicability

This Policy applies to all physical records generated in the course of the Company’s operation, including both original documents and reproductions. It does not apply to independent contractor records as we rely upon the governing boards of third party vendors to set appropriate retention policies for their members. It also applies to the electronic documents described above.

This Policy was approved by the Members of the Company.

APPENDIX A RECORD RETENTION SCHEDULE

The Record Retention Schedule is organized as follows:

SECTION TOPIC

  1. Accounting and Finance
  2. Contracts and Memorandums of Understanding
  3. Corporate Records
  4. Correspondence and Internal Memoranda
  5. Electronic Documents
  6. Legal Files and Papers
  7. Customer Datav
  8. Data Subject Data
  9. Miscellaneous
  10. Personnel Records
  11. Property Records
  12. Tax Records
  13. Contribution Records
1. ACCOUNTING AND FINANCE
Record Type Retention Period
Accounts Payable ledgers and schedules 7 years
Accounts Receivable ledgers and schedules 7 years
Annual Audit Reports and Financial Statements Permanent
Annual Audit Records, including work papers and other documents that relate to the audit 7 years after completion of audit
Annual Plans and Budgets 2 years
Bank Statements and Canceled Checks 7 years
Employee Expense Reports 7 years
General Ledgers Permanent
Interim Financial Statements 7 years
Notes Receivable ledgers and schedules 7 years
Investment Records 7 years after sale of investment
Internal Audit work papers and findings 7 years after completion
2. CONTRACTS
Record Type Retention Period
Contracts and Related Correspondence (including any proposal that resulted in the contract and all other supportive documentation) 7 years after expiration or termination
3. CORPORATE RECORDS
Record Type Retention Period
Corporate Records (minute books, signed minutes of the Board and all committees, corporate seals, articles of incorporation, bylaws, annual corporate reports) Permanent
Licenses and Permits Permanent
Memorandums of Understanding Permanent
4. CORRESPONDENCE AND INTERNAL MEMORANDA

General Principle: Most correspondence and internal memoranda should be retained for the same period as the document they pertain to or support. For instance, a letter pertaining to a particular contract would be retained as long as the contract (7 years after expiration). It is recommended that records that support a particular project be kept with the project and take on the retention time of that particular project file.

Correspondence or memoranda that do not pertain to documents having a prescribed retention period should generally be discarded sooner. These may be divided into two general categories:

Those pertaining to routine matters and having no significant, lasting consequences should be discarded within two years. Some examples include:

  • Routine letters and notes that require no acknowledgment or followup, such as notes of appreciation, congratulations, letters of transmittal, and plans for meetings.
  • Form letters that require no followup.
  • Letters of general inquiry and replies that complete a cycle of correspondence.
  • Letters or complaints requesting specific action that have no further value after changes are made or action taken (such as name or address change).
  • Other letters of inconsequential subject matter or that definitely close correspondence to which no further reference will be necessary.
  • Chronological correspondence files.

Please note that copies of interoffice correspondence and documents where a copy will be in the originating department file should be read and destroyed, unless that information provides reference to or direction to other documents and must be kept for project traceability.

Those pertaining to nonroutine matters or having significant lasting consequences should generally be retained permanently.

5. ELECTRONIC DOCUMENTS

Electronic Mail: Not all email needs to be retained, depending on the subject matter.

Staff will strive to keep all but an insignificant minority of their e-mail related to business issues.

Staff will not store or transfer Company related e-mail on non-work-related computers except as necessary or appropriate for Foundation purposes.

Staff will take care not to send confidential/proprietary Company information to outside sources.

Electronic Documents: including Microsoft Office Suite and PDF files. Retention also depends on the subject matter.

  • PDF documents – The length of time that a PDF file should be retained should be based upon the content of the file and the category under the various sections of this policy. The maximum period that a PDF file should be retained is 6 years. PDF files the employee deems vital to the performance of his or her job should be printed and stored in the employee’s workspace.
  • Text/formatted files – Staff will conduct annual reviews of all text/formatted files (e.g., Microsoft Word documents) and will delete all those they consider unnecessary or outdated. After five years, all text files will be deleted from the network and the staff’s desktop/laptop. Text/formatted files the staff deems vital to the performance of their job should be printed and stored in the staff’s workspace.

Web Page Files: Internet Cookies
All workstations: All web browsers should be scheduled to delete Internet cookies once per month.

Skype, G-Chat, Slack, and other Messaging documents
All documents produced or stored as part of any messaging service used by any employee for Company purposes, including internal and external communications, shall be scheduled to be deleted automatically six (6) months after the date the communication took place and/or the document was generated. If the employee/user is unable to alter the document retention schedule of the particular chat serviced used, the document retention policy of that service shall control the handling of those documents.

Text Messages
Employees may from time to time utilize their mobile devices include their personal cell phones to exchange work related text messages. All employees shall adjust their mobile device text setting to automatically delete text messages after thirty (30) days. The Company does not automatically delete electronic files beyond the dates specified in this Policy. It is the responsibility of all staff to adhere to the guidelines specified in this policy.

6. LEGAL FILES AND PAPERS
Record Type Retention Period
Legal Memoranda and Opinions (including all subject matter files) 10 years after close of matter
Litigation Files 10 year after expiration of appeals or time for filing appeals
Court Orders Permanent
Requests for Departure from Records Retention Plan 10 years
7. CUSTOMER DATA
Record Type Retention Period
Contact information 2 years
Billing information 2 years
Reports 12 months (if contract is active),

30 days after termination of contract

Campaign and Affiliate Data 12 months (if contract is active),

30 days after termination of contract

Click Data

Admin Use Data

12 months (if contract is active),

30 days after termination of contract

12 months (if contract is active),

30 days after termination of contract

8. DATA SUBJECT DATA
Record Type Retention Period
Reporting Data
Hits Table 12 months (if subject to active contract, otherwise 30 days)
Hits Database 12 months (if subject to active contract, otherwise 30 days)
Sales Database 12 months (if subject to active contract, otherwise 30 days)
Redshift 12 months (if subject to active contract, otherwise 30 days)
Log Files 40 days
Lead Generation Data
Call Center Data 12 months (if subject to active contract, otherwise 30 days)
Direct Marketing Data 12 months (if subject to active contract, otherwise 30 days)
Direct Unsubscribe Data Indefinite
Indirect Ununsubscribe Data Indefinite
Suppression List Indefinite
9. MISCELLANEOUS
Record Type Retention Period
Consultant’s Reports 2 years
Material of Historical Value (including pictures, publications) Permanent
Policy and Procedures Manuals – Original Current version with revision history
Policy and Procedures Manuals  Copies Retain current version only
Annual Reports Permanent
10. PERSONAL RECORDS
Record Type Retention Period
Employee Personnel Records (including individual attendance records, application forms, job or status change records, performance evaluations, termination papers, withholding information, garnishments, test results, training and qualification records) 6 years after separation
Employment Contracts – Individual 7 years after separation
11. PROPERTY RECORDS
Record Type Retention Period
Correspondence, Property Deeds, Assessments, Licenses, Rights of Way Permanent
Original Purchase/Sale/Lease Agreement Permanent
Property Insurance Policies Permanent
12. TAX RECORDS

General Principle: The Company must keep books of account or records as are sufficient to establish amount of gross income, deductions, credits, or other matters required to be shown in any such return.
These documents and records shall be kept for as long as the contents thereof may become material in the administration of federal, state, and local income, franchise, and property tax laws.

Record Type Retention Period
Tax-Exemption Documents
and Related Correspondence
Permanent
IRS Rulings Permanent
Excise Tax Records 7 years
Tax Bills, Receipts, Statements 7 years
Tax Returns  Income, Franchise, Property Permanent
Tax Workpaper Packages  Originals 7 years
Sales/Use Tax Records 7 years
Annual Information Returns – Federal and State Permanent
IRS or other Government Audit Records Permanent
13. CONTRIBUTION RECORDS
Record Type Retention Period
Records of Contributions Permanent
The Company’s or other documents evidencing terms of gifts Permanent