Privacy Policy

DOYB Technical Solutions, Inc. ("DOYB," "we," "our," or "us") is a cybersecurity, compliance, and IT advisory firm headquartered in Atlanta, Georgia. This Privacy Policy explains how we collect, use, disclose, and safeguard personal information when you visit doybcyber.com (the "Site") or engage with our services.

This policy applies globally, including to visitors and contacts in the United States, the European Union (EU), the European Economic Area (EEA), and the United Kingdom (UK). Where EU/UK GDPR applies, we act as the data controller in respect of personal information you provide to us.

By using the Site or submitting information to us, you acknowledge that you have read and understood this Privacy Policy. If you do not agree, please discontinue use of the Site.

---

1. Information We Collect

1.1 Information You Provide Directly

We collect personal information you voluntarily provide when you:

• Submit a contact form, consultation request, or service inquiry
• Schedule a meeting through our HubSpot scheduling tool
• Register for a webinar or event
• Submit a general interest or job application, including uploading a resume or CV
• Download a guide, whitepaper, or resource requiring form submission
• Communicate with us by email, phone, or other means

The categories of personal information collected through these interactions may include: full name, business email address, phone number, company name, job title, and the content of your message or inquiry. Job applicants additionally provide employment history, educational background, professional certifications, and other information contained in submitted resumes or CVs.

1.2 Information Collected Automatically

When you visit the Site, we and our third-party service providers automatically collect certain technical and behavioral information, including:

• IP address (used to derive approximate geographic location; not stored by Google Analytics 4)
• Browser type and version, operating system, and device type
• Pages visited, time spent on each page, and navigation path through the Site
• Referring URL and search terms used to reach the Site
• Session identifiers and unique cookie-based visitor identifiers
• Events and interactions on the Site (clicks, form views, resource downloads)

This information is collected through cookies and similar tracking technologies. See Section 5 (Cookies) for a full breakdown of cookies used and how to manage them.

1.3 Information From Third-Party Platforms

We use HubSpot as our CRM, form management, and marketing automation platform. When you interact with HubSpot-embedded forms or our HubSpot meeting scheduler, HubSpot receives and processes your submitted information on our behalf as a data processor. HubSpot may also set tracking cookies independently — see Section 5.

We use Google Analytics 4 (GA4) to collect website usage and behavioral data. GA4 does not store IP addresses. Data is processed by Google LLC on our behalf as a data processor.

---

2. Legal Basis for Processing (EU/UK Visitors)

If you are located in the EU, EEA, or UK, EU/UK GDPR requires us to identify a specific legal basis for each category of personal data processing. We process your personal information on the following bases:

Where we rely on Legitimate Interests (Article 6(1)(f)), we have conducted a Legitimate Interest Assessment (LIA) documenting the balance between our business interests and your privacy rights. You may request a summary of any applicable LIA by contacting privacy@doybcyber.com. You have the right to object to processing based on legitimate interests at any time — see Section 7.

Where we rely on Consent (Article 6(1)(a)), you may withdraw consent at any time without affecting the lawfulness of processing before withdrawal. For cookie consent, use the consent management tool accessible in the Site footer. For marketing email consent, use the unsubscribe link in any email we send.

---

3. How We Use Your Information

We use personal information to:

• Respond to inquiries, service requests, and consultation bookings you initiate
• Deliver requested resources, guides, and webinar access
• Communicate about our cybersecurity, compliance, IT, and AI services where you have requested contact or where we have a documented legitimate interest
• Process and evaluate job applications and maintain an applicant talent pool
• Analyze website traffic and measure content effectiveness to improve the Site
• Comply with applicable legal obligations, including data breach notification laws
• Protect the security and integrity of our systems and services

We do not sell your personal information to third parties. We do not use personal information collected from the Site for automated decision-making or profiling that produces legal or similarly significant effects on you.

Marketing Communications

When you submit a contact form, schedule a consultation, or otherwise request contact from DOYB, you are consenting to our follow-up — including by email and phone — regarding your inquiry and relevant DOYB services. For US contacts, this follow-up is governed by the CAN-SPAM Act; you may unsubscribe from marketing email at any time. For EU/UK contacts, we rely on Legitimate Interests for B2B service-related follow-up; you may object at any time. For SMS text message marketing, we obtain separate express written consent — see Section 9.

---

4. How We Share Your Information

We share personal information only as described below. We never sell personal information.

4.1 Data Processors

We use the following third-party service providers who process personal data on our behalf under Data Processing Agreements (DPAs):

Links to processor privacy policies: HubSpot Privacy Policy · Google Privacy Policy · Microsoft Privacy Statement.

4.2 Other Disclosures

We may also share personal information with:

• Professional advisors: Legal counsel, accountants, and insurers — under confidentiality obligations
• Legal authorities: When required by law, regulation, court order, or to protect the rights, safety, or property of DOYB, our clients, or others
• Business successors: In connection with a merger, acquisition, asset sale, or reorganization — subject to the same privacy protections described in this policy

---

5. Cookies and Tracking Technologies

5.1 What Are Cookies

Cookies are small text files stored in your browser that allow websites and third-party services to recognize you, remember preferences, and track behavior across sessions. We also use similar technologies including web beacons and pixel tags.

5.2 Cookies We Use

The following cookies are set on the Site. EU/UK visitors: non-essential cookies are not set until you grant consent via the cookie consent tool.

All cookies above are non-essential — they are not required for the Site to function. For EU/UK visitors, these cookies are only set after consent is granted. GA4 does not store IP addresses.

5.3 Managing Cookies

You can manage your cookie preferences at any time using the cookie consent tool accessible in the Site footer. You may also:

• Disable cookies through your browser settings — note this may affect certain Site features
• Opt out of Google Analytics across all websites using the Google Analytics Opt-out Browser Add-on
• Manage HubSpot cookie preferences via the HubSpot cookie banner (EU/UK visitors only)

---

6. Data Retention

We retain personal information only as long as necessary for the purposes described in this policy or as required by law. Our standard retention periods are:

• Contact form and inquiry data: 3 years from the date of last meaningful interaction
• Job applicant data (no offer extended): 24 months from submission date, unless you request earlier deletion
• Job applicant data (offer extended and accepted): Governed by your employment agreement and applicable law
• Marketing email records: Duration of active relationship plus 2 years from unsubscribe or last engagement
• Google Analytics 4 data: 14 months (configured in our GA4 account)
• Webinar registration data: 18 months from the event date
• Legal and compliance records: As required by applicable law (typically 7 years for financial records under US GAAP)

When personal information is no longer needed, we delete or anonymize it in accordance with our internal data lifecycle procedures.

---

7. Your Rights

7.1 Rights Under EU/UK GDPR

If you are located in the EU, EEA, or UK, you have the following rights under the GDPR (EU) 2016/679 and UK GDPR:

• Right of Access (Article 15): Request a copy of the personal data we hold about you and information about how it is processed.
• Right to Rectification (Article 16): Request correction of inaccurate or incomplete personal data.
• Right to Erasure — "Right to Be Forgotten" (Article 17): Request deletion of your personal data where there is no overriding legitimate reason for retention.
• Right to Restriction of Processing (Article 18): Request that we limit processing of your data in certain circumstances (e.g., while accuracy is contested).
• Right to Data Portability (Article 20): Receive your personal data in a structured, commonly used, machine-readable format where processing is based on consent or contract.
• Right to Object (Article 21): Object at any time to processing based on our legitimate interests, including for direct marketing purposes. We will stop processing unless we can demonstrate compelling legitimate grounds.
• Rights Related to Automated Decision-Making (Article 22): We do not use automated decision-making or profiling that produces legal or similarly significant effects on you. This right is therefore not applicable to our current processing, but will be disclosed if this changes.
• Right to Withdraw Consent: Where processing is based on consent, you may withdraw consent at any time. Withdrawal does not affect the lawfulness of prior processing.

To exercise any of these rights, contact us at privacy@doybcyber.com. We will respond within one calendar month. For complex or high-volume requests, we may extend this by up to two additional months with written notice.

We will not charge a fee for standard requests. If a request is manifestly unfounded or excessive, we may charge a reasonable fee or decline the request.

7.2 Right to Lodge a Complaint

If you are dissatisfied with our response or believe we are processing your personal data unlawfully, you have the right to lodge a complaint with a supervisory authority:

• EU residents: Contact the data protection authority in your EU Member State (e.g., CNIL in France, BfDI in Germany, AEPD in Spain)
• UK residents: Contact the Information Commissioner's Office (ICO)

7.3 Rights Under the California Consumer Privacy Act (CCPA/CPRA)

If you are a California resident, you may have the following rights under the California Consumer Privacy Act (as amended by CPRA, effective January 1, 2023):

• Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you, the sources, the business purposes, and the categories of third parties with whom it is shared.
• Right to Delete: Request deletion of your personal information, subject to certain exceptions.
• Right to Correct: Request correction of inaccurate personal information.
• Right to Opt-Out of Sale or Sharing: We do not sell personal information and do not share it for cross-context behavioral advertising purposes.
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

To submit a CCPA request, email privacy@doybcyber.com with the subject "California Privacy Request." We will respond within 45 days, extendable by an additional 45 days with notice.

7.4 Rights Under Other US State Laws

Several US states have enacted comprehensive privacy laws that may grant additional rights to residents of those states (including Colorado, Connecticut, Virginia, Texas, and others). DOYB honors equivalent rights requests from residents of all US states regardless of whether a specific state privacy law applies. Contact privacy@doybcyber.com to make a request.

---

8. International Data Transfers

DOYB is headquartered in the United States. If you are located in the EU, EEA, or UK, your personal data will be transferred to and processed in the United States. We rely on the following transfer mechanisms to ensure adequate protection:

• EU-US Data Privacy Framework (DPF): Adopted by the European Commission on July 10, 2023, as an adequacy decision for certified US companies. Both HubSpot and Google are certified under the DPF. Data transfers to these providers are governed by the DPF.
• UK-US Data Bridge: In effect from October 12, 2023, for transfers from the UK to DPF-certified US companies. HubSpot and Google participate in the UK Extension to the DPF.
• Standard Contractual Clauses (SCCs): Where DPF certification does not apply to a specific transfer, we rely on European Commission-approved SCCs (2021/914/EU). DOYB has executed DPAs incorporating SCCs with HubSpot and Google.

You may request a copy of the applicable transfer mechanisms by contacting privacy@doybcyber.com.

---

9. Marketing Communications and Consent

9.1 Email Marketing (CAN-SPAM Act)

DOYB sends commercial email communications in compliance with the CAN-SPAM Act (15 U.S.C. § 7701 et seq.). Every commercial email we send includes:

• Accurate "From" identification (sender name and email address)
• A clear and honest subject line
• DOYB's physical mailing address
• A clear and conspicuous opt-out / unsubscribe mechanism

You may unsubscribe from marketing email at any time by clicking "Unsubscribe" in any email we send, or by emailing privacy@doybcyber.com. We will honor opt-out requests within 10 business days as required by law. We will not charge a fee or require account creation to unsubscribe.

9.2 SMS / Text Message Communications (TCPA)

DOYB may send SMS text messages to contacts who provide prior express written consent. Consent is captured through our contact forms using a separate, unchecked checkbox with the following or equivalent disclosure:

SMS consent is collected and stored separately from inquiry consent. You may opt out at any time by replying STOP to any SMS we send. Consent is not required to engage DOYB's services.

9.3 Form Submission and Contact Consent

When you submit a contact form, inquiry form, or consultation request on this Site, you are expressly authorizing DOYB Technical Solutions to contact you at the email address and phone number you provide to respond to your request and share information about relevant services. This authorization covers:

• Direct responses to your specific inquiry
• Follow-up regarding the services or assessments you expressed interest in
• Periodic relevant communications about DOYB cybersecurity, compliance, and IT services

You may opt out of non-inquiry-related communications at any time by using the unsubscribe link in any email or by contacting privacy@doybcyber.com.

---

10. Job Applicant Data

Personal information submitted through our job application or general interest form — including resumes, CVs, cover letters, and employment history — is used solely for recruitment evaluation and talent pipeline management. This data is:

• Accessible only to DOYB personnel involved in the hiring process
• Not used for marketing or unrelated business purposes
• Retained for 24 months from submission if no offer is extended, after which it is securely deleted unless you consent to a longer retention period
• Deleted upon written request at any time prior to an offer of employment

To request deletion of your applicant data, email privacy@doybcyber.com with the subject "Applicant Data Deletion Request."

---

11. Security

As a cybersecurity firm, we apply to our own data practices the same standards we advise for our clients. Our security measures include:

• Encryption in transit (TLS) for all data submitted through the Site
• Role-based access controls — personal data is accessible only to personnel with a need to know
• Vendor security assessment for all third-party processors handling personal data
• Executed Data Processing Agreements with all processors
• Periodic internal review of data access and processing practices

No data transmission or storage system can be guaranteed to be 100% secure. In the event of a data breach affecting your personal information, we will notify you as required by applicable law, including the Georgia Identity Theft Protection Act (O.C.G.A. § 10-1-912) and any other applicable state breach notification laws.

---

12. Third-Party Links

The Site contains links to third-party websites and services, including HubSpot scheduling pages, Google Maps, Microsoft platforms, and external resources. This Privacy Policy applies only to DOYB's own Site and data practices. Third-party sites operate under their own privacy policies, which we encourage you to review. DOYB is not responsible for the privacy practices or content of third-party sites.

---

13. Children's Privacy

The Site and DOYB's services are directed to business professionals and are not intended for children under the age of 13. We do not knowingly collect personal information from children. If you believe we have inadvertently received information from a child under 13, contact privacy@doybcyber.com and we will promptly delete it.

---

14. Changes to This Policy

We may update this Privacy Policy as our data practices or applicable law changes. When we make material changes, we will update the "Last updated" date at the top of this page. We recommend reviewing this policy periodically. Continued use of the Site after the effective date of a revised policy constitutes your acceptance of the updated terms.

We maintain an internal archive of prior policy versions with effective dates. You may request a prior version by contacting privacy@doybcyber.com.

---

15. Contact Us

For questions about this Privacy Policy, to exercise your data rights, or to report a privacy concern:

DOYB Technical Solutions, Inc.
Attn: Privacy
6595 Roswell Road, STE G-2293
Atlanta, GA 30328

Email: privacy@doybcyber.com
Phone: (678) 369-2555

For EU/UK rights requests, please use the email above with the subject line "GDPR Rights Request — [Your Country]." We will respond within one calendar month.