Privacy Policy

1. Introduction

Top Floor Security, LLC ("TFS," "we," "us," or "our") is a boutique governance, risk, and compliance (GRC) consulting firm. This Privacy Policy describes how we collect, use, disclose, and protect personal information through our website at topfloorsecurity.com (the "Site") and related services.

By using the Site or our services, you agree to the practices described in this policy. If you do not agree, please discontinue use of the Site.

2. Information We Collect

2.1 Information You Provide Directly

• Contact Form Submissions: Name, email address, phone number (if provided), company name, and the content of your message.
• Email Notification Signup: Email address and, optionally, your name and company (notification list for upcoming content).
• Service Engagements: When you engage our services, we collect your name, email address, company affiliation, and any information you provide in connection with the engagement.

Our web forms require a business email address. Submissions from free email providers (e.g., Gmail, Yahoo, Outlook.com) are not accepted. This restriction helps us maintain the quality of our business communications and is not used for any other purpose.

2.2 Information Collected Automatically

When you visit the Site, we automatically collect certain technical information, including:

• Analytics Data: Pages visited, referring URLs, session duration, general geographic region (city/country level), device type, browser type, and operating system.
• Server Logs: IP address, request timestamps, and HTTP headers. These logs are retained for security monitoring and are purged on a rolling basis.
• Cookies and Similar Technologies: See Section 5 below.

2.3 Information from Third Parties

We may receive information about you from publicly available sources, referral partners, or your employer or organization when they engage us for services on your behalf.

3. How We Use Your Information

• Service Delivery: To respond to inquiries, onboard clients, and deliver consulting engagements.
• Communications: To send you requested information, engagement updates, invoices, and, if you have opted in, our email notifications.
• Site Operations and Improvement: To monitor Site performance, analyze usage patterns, troubleshoot issues, and improve user experience.
• Security: To detect, prevent, and respond to fraud, unauthorized access, and other security incidents.
• Legal Compliance: To comply with applicable laws, regulations, legal processes, or enforceable governmental requests.

4. How We Share Your Information

We do not sell your personal information. We may share your information in the following limited circumstances:

• Service Providers: With third-party vendors who perform services on our behalf, subject to contractual obligations to protect your data.
• Professional Obligations: Where required in connection with a client engagement, with appropriate confidentiality protections in place.
• Legal Requirements: When disclosure is required by law, regulation, subpoena, court order, or other legal process.
• Business Transfers: In connection with a merger, acquisition, reorganization, or sale of assets.
• With Your Consent: In any other circumstance where you have provided explicit consent.

Our current service providers include: Supabase (database hosting and authentication), Mailgun (email delivery), Google (analytics, when configured), and Vercel or equivalent (website hosting). We review the security practices of our service providers and require contractual data protection commitments.

Enterprise clients requiring a Data Processing Agreement (DPA) may request one by contacting privacy@topfloorsecurity.com.

5. Cookies and Tracking Technologies

5.1 Cookies We Use

5.2 Managing Cookies

When you first visit the Site, a cookie consent banner allows you to accept or reject non-essential cookies. Your preference is stored locally and respected on subsequent visits. You can change your preference at any time by clearing your browser's local storage for this site.

You can also control cookies through your browser settings. Disabling strictly necessary cookies may impair Site functionality.

5.3 Do Not Track

We do not currently respond to "Do Not Track" browser signals. You can manage your cookie preferences through our consent banner.

6. Data Retention

• Contact form and email notification data: Retained until you request deletion or unsubscribe, plus a reasonable wind-down period.
• Client engagement data: Retained for the duration of the engagement and for a minimum of seven (7) years thereafter.
• Analytics data: Retained per configured retention settings (default: 14 months).
• Server logs: Retained for up to 90 days, unless extended for an active security investigation.

7. Data Security

We implement administrative, technical, and physical safeguards designed to protect your personal information from unauthorized access, use, alteration, or destruction. These include encryption in transit (TLS), hashed credential storage, role-based access controls, and regular security reviews.

No method of transmission or storage is 100% secure. If you have reason to believe your interaction with us is no longer secure, please contact us immediately.

In the event of a data breach involving your personal information, we will notify affected individuals and applicable regulatory authorities in accordance with applicable law, including GDPR Article 33/34 timelines where applicable.

8. Your Privacy Rights

8.1 General Rights

Depending on your jurisdiction, you may have the right to:

• Access the personal information we hold about you.
• Request correction of inaccurate or incomplete information.
• Request deletion of your personal information, subject to legal and contractual exceptions.
• Opt out of marketing communications at any time.
• Withdraw consent where processing is based on consent.

We will respond to verified data subject access requests within 30 days (GDPR) or 45 days (CCPA/CPRA). If additional time is needed, we will notify you of the extension and the reasons.

8.2 California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act:

• Right to Know: You may request the categories and specific pieces of personal information we have collected.
• Right to Delete: You may request deletion of your personal information, subject to certain exceptions.
• Right to Correct: You may request correction of inaccurate personal information.
• Right to Opt Out of Sale/Sharing: We do not sell or share your personal information for cross-context behavioral advertising.
• Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

We do not sell or share your personal information as those terms are defined under the CCPA/CPRA. Because we do not engage in these activities, we do not offer a "Do Not Sell or Share My Personal Information" link. If this practice changes, we will update this policy and provide the required opt-out mechanism.

8.3 Other U.S. State Privacy Laws

Residents of states with comprehensive privacy laws may have similar rights to access, correct, delete, and opt out. Contact us to exercise these rights.

8.4 European Economic Area and United Kingdom (GDPR)

If you are located in the European Economic Area (EEA) or United Kingdom, the General Data Protection Regulation (GDPR) provides you with additional rights regarding your personal data. Top Floor Security, LLC acts as the data controller for personal information collected through the Site and our services.

Lawful Bases for Processing: We process your personal data on the following lawful bases:

• Legitimate Interests: Service delivery, Site operations, security monitoring, and business development, where these interests are not overridden by your data protection rights.
• Consent: Email notification subscriptions and non-essential cookies, which you may withdraw at any time.
• Contractual Necessity: Processing required to fulfill client engagements and service agreements.

Your Rights as an EU/UK Data Subject: You have the right to:

• Access the personal data we hold about you.
• Rectification of inaccurate or incomplete personal data.
• Erasure of your personal data ("right to be forgotten"), subject to legal retention obligations.
• Restriction of processing in certain circumstances.
• Data portability, receiving your data in a structured, commonly used, machine-readable format.
• Object to processing based on legitimate interests.
• Withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

Right to Lodge a Complaint: You have the right to lodge a complaint with your local data protection supervisory authority if you believe our processing of your personal data violates applicable law.

Cross-Border Data Transfers: Your personal data may be transferred to and processed in the United States. We rely on Standard Contractual Clauses (SCCs) approved by the European Commission to ensure adequate protection for personal data transferred outside the EEA or UK.

9. Children's Privacy

The Site and our services are not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If you believe we have inadvertently collected such information, please contact us and we will promptly delete it.

10. Third-Party Links

The Site may contain links to third-party websites or services. We are not responsible for the privacy practices of those third parties. We encourage you to review the privacy policies of any third-party sites you visit.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be indicated by updating the "Last Updated" date at the top of this page. Continued use of the Site after changes constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy, wish to exercise your privacy rights, or have a complaint, please contact us at:

Revision History