DSPA homepage

Deaf Services of Palo Alto, Inc – Privacy and Data Retention Policy

Last Updated: 2025-04-02

1. Introduction

Welcome to the website provided by Deaf Services of Palo Alto (“we,” “us,” or “our”).
We take your privacy and data security seriously. This Privacy and Data Retention Policy (“Policy”) describes how we
collect, use, retain, and protect your information in accordance with applicable laws, including (where relevant)
the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), as well as best
practices outlined by the National Institute of Standards and Technology (NIST).

By accessing or using our website, you agree to the collection, use, and disclosure practices described in this Policy.
If you do not agree with the practices described, please do not use our website.

Important: If there is any conflict between this Policy and applicable law, the applicable law will prevail.

2. Scope and Applicability

  1. Geographic Scope
    Although we primarily operate within the United States, this website may be accessible in other regions, including Japan
    and the European Union. Where applicable, we will adhere to local data protection regulations.
  2. Who This Policy Applies To
    This Policy applies to all visitors and users of our website.
  3. Exclusions – Minors
    We do not knowingly collect personal information from children under the age of 16. This website is
    not intended for use by individuals under 16.

3. Information We Collect

  1. Information You Provide
    • Form Data: When you fill out our contact form, we collect the information you enter
      (e.g., name, email address).
    • Corporate SSO Profile: If you access the website via a corporate single sign-on (SSO) system,
      we may receive certain user profile data such as your name and email address.
    • Sensitive Data: We discourage sharing any sensitive personal data (e.g., health
      information, social security numbers) unless absolutely necessary.
  2. Automatically Collected Information
    • Cookies: We use cookies strictly for authentication. These cookies track your login status only and are not used for advertising, analytics, or cross-site tracking.
    • Access Logs: We record access metadata (e.g., IP address, timestamps, and relevant system
      events) for security and audit purposes.
  3. Anonymized Metadata
    We may collect and use anonymized metadata or aggregated information for internal analytics, troubleshooting,
    and service improvement. This does not include any personal identifiers and is never sold or shared with third parties.

4. How We Use Your Information

  1. Service Fulfillment
    We collect your data primarily to respond to inquiries and fulfill your service requests, including scheduling, confirmation, and
    communication regarding the requested services.
  2. Internal Analytics and Improvements
    We analyze anonymized metadata to improve the functionality, reliability, and performance of the website.
    No personal data is used in these analytics.
  3. Legal and Regulatory Compliance
    In rare cases, we may need to process your data to comply with legal obligations, respond to law enforcement requests,
    or defend legal claims.
  4. Billing and Financial Transactions
    We use information from submitted requests, updates, and cancellations to manage billing, issue invoices, and process payments for the service.

5. Sharing and Disclosure

  1. No Third-Party Sharing or Selling
    We do not sell, lease, or otherwise disclose your data to third parties. Your data is shared only to the
    minimum extent necessary to facilitate the requested services.
  2. Infrastructure Provider Only
    The website is hosted on infrastructure provided by a third-party hosting service. This service acts solely as an
    infrastructure provider and does not access or process the data collected by our website.
  3. Legal Requirements
    We may disclose your information if required by law or to protect the rights, property, or safety of our organization,
    our users, or others.

6. Data Retention

  1. Retention Period
    Data submitted through the website is retained for a period of ten (10) years, and is stored in accordance with our
    Data Classification and Handling Procedures. Access logs and other metadata are also retained for auditing
    and compliance.
  2. Data Deletion Requests
    If you would like your data to be deleted before the 10-year period ends, you may submit a request to our
    Data Protection Officer (DPO). We will honor such requests unless legal, regulatory, or contractual obligations
    (for example, GDPR/CCPA requirements) prevent us from doing so.
  3. Early Deletion Exceptions
    Certain situations (e.g., ongoing investigations, specific retention requirements under GDPR/CCPA) may necessitate
    retaining data beyond the standard period.
  4. NIST Best Practices
    Our retention practices align with NIST guidelines to ensure secure storage, appropriate encryption,
    and timely disposal of data.

7. Your Rights and Choices

  1. Access and Correction
    You may request access to or correction of your personal data if you believe it is inaccurate or incomplete.
    Such requests should be directed to our DPO.
  2. Deletion (Right to Erasure)
    You have the right to request deletion of your personal data as described above. Please submit such requests to
    our DPO at the contact information below.
  3. Response Timeframe
    We strive to respond to all valid requests within 30 days of receipt, as required by
    applicable law.

8. Security Measures

  1. Encryption and Data Storage
    We encrypt data both in transit (via secure protocols such as HTTPS) and at rest
    (using industry-standard encryption).
  2. Audits and Vulnerability Scans
    We regularly conduct manual and automated vulnerability assessments to maintain a secure environment.
    Our Data Classification and Handling Procedures are audited annually (internally).
  3. Incident Response
    In the event of a data breach, we follow our Incident Response Plan, which is aligned with
    NIST SP 800-61 and similar guidelines, to ensure timely notification and resolution.

9. How We Update This Policy

We may occasionally update this Policy to reflect changes in our practices or relevant laws. When we do, we will post
the updated Policy on the website. Please review this Policy periodically to stay informed about how we protect
your information.

10. Contact Us

If you have any questions, concerns, or requests regarding this Policy, please contact our
Data Protection Officer (DPO):

  • Name: Chris Russell
  • Email: chris@dspa.org
  • Phone: +1-541-690-8313

For general privacy inquiries, or if you have any questions about our practices, you can also reach us at:

  • Mailing Address: Deaf Services of Palo Alto, Inc, PO Box 60651, Palo Alto, CA, 94306
  • Email: info@dspa.org
  • Phone: +1-650-469-3772

11. Effective Date

This Policy is effective as of 2025-04-02 and remains in effect until updated or replaced by a
subsequent revision.

Thank you for reviewing our Privacy and Data Retention Policy. If you have any further questions
or concerns, please contact us using the information provided above.