PRIVACY, DATA PROTECTION, AND COOKIES POLICY

Effective Date: June 23, 2026   |   Last Material Revision: June 23, 2026

This Privacy, Data Protection, and Cookies Policy (“Policy”) establishes the comprehensive regulatory compliance framework governing the data collection, processing, cross-border or localized transmission, retention, and disclosure protocols enforced by Business Control Systems (“Company,” “Firm,” “we,” “us,” or “our”). This Policy outlines our absolute commitment to statutory transparency, information security, and individual data autonomy across all operational roles—including our legal practices, real estate operations, business consulting entities, and professional workforce placement, staffing, and recruitment services. This Policy applies directly to all job applicants, talent candidates, temporary or placed workers, corporate clients, independent contractors, and digital platform users (“you” or “your”).

Statutory Definitions and Legal Framework

This Policy is architected to execute strict compliance with the statutory provisions of the California Consumer Privacy Act of 2018 (CCPA), as amended by the California Privacy Rights Act of 2020 (CPRA) (codified at Cal. Civ. Code § 1798.100 et seq.), and the administrative regulations promulgated by the California Privacy Protection Agency (CPPA). For the purposes of this legal framework, the following explicit definitions apply:

  • “Personal Information” (PI) means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer, job applicant, candidate, household, or corporate representative. PI excludes verified de-identified data, aggregated statistical summaries, and lawfully available public records from federal, state, or municipal government agencies.
  • “Sensitive Personal Information” (SPI) denotes a specialized subset of PI heavily protected under California law, including social security, driver’s license, state identification card, or passport numbers; precise geolocation data; citizenship, immigration status, or valid work authorization records; individual account login credentials in combination with any required security codes or passwords allowing access to a portal; racial or ethnic background; and biometric processing executed to uniquely identify an individual.
  • “Sell,” “Selling,” “Sale” encompasses any act of selling, renting, releasing, disclosing, disseminating, making available, or otherwise communicating a consumer’s personal information by the business to a third party for monetary or other valuable consideration.
  • “Share,” “Shared,” “Sharing” specifically means the sharing, transferring, or communicating of a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not any monetary or valuable consideration is exchanged.

Specialized Notice: Applicant, Candidate, and Workforce Placement Services

As a multi-disciplinary entity executing executive placement, technical staffing, and professional workforce solutions, our data intake workflows capture volumes of candidate and worker records. This Section outlines the specific industry-grade safeguards, notices, and operational mandates governing candidate processing.

A. Comprehensive Candidate Categories of Personal Information Collected

Beyond general digital identifiers, our professional placement workflows necessitate the collection and systematic analysis of the following detailed candidate data sets:

  • Professional, Educational, and Employment Records: Detailed resumes, curriculum vitae (CVs), academic transcripts, professional certifications, corporate governance positions, professional license numbers, references, interview notes, and specific target compensation profiles.
  • Background Screening Metrics: Criminal background reports, previous employment verifications, educational credential confirmations, motor vehicle records (MVR), and credit history profiles where explicitly permitted by law and relevant to financial or fiduciary placement responsibilities.
  • International Worker Compliance and Verification: Documented passport numbers, specific visa classifications, permanent residency markers, explicit physical work authorizations, and verified Form I-9 validation records. This data is handled exclusively as Sensitive Personal Information (SPI).
  • Biometric and Remote Identity Safeguards: Where candidates utilize automated on-demand video interviews, remote proctoring portals, or facial verification software, our platforms may capture biometric identifiers derived from facial geometry and voice patterns solely to confirm identity and process interview audio/visual files.

B. Industry-Specific Data Disclosures (Core Business Processing)

To fulfill our contractual mandates for staffing and recruitment, your candidate profile is disclosed directly to prospective corporate employers, hiring managers, and enterprise client stakeholders who have active talent openings aligned with your background. Furthermore, for placed contractors or temporary staff, your data is transferred to downstream operational service providers, including automated payroll processors, benefit plan administrators, insurance underwriters, and municipal tax agencies.

C. Regulatory Safeguards: Background Screening and FCRA Compliance

Any background check or screening profile procured during our staffing evaluation is handled via consumer reporting agencies under explicit federal guidelines.

FAIR CREDIT REPORTING ACT (FCRA) COMPLIANCE DISCLOSURE:
In strict compliance with the Fair Credit Reporting Act (15 U.S.C. § 1681 et seq.) and corresponding state laws, separate, standalone clear and conspicuous disclosures and formal authorization forms will be provided to you directly before any consumer report, investigative consumer report, or background check is commissioned or executed.

D. Algorithmic Processing, AI Screening, and Evolving California Compliance

We leverage automated algorithmic structures, data parsing models, and artificial intelligence suites to match candidate resumes against active client operational matrices, analyze structural completeness of applications, and optimize interview scheduling. These digital platforms function entirely as an administrative efficiency tool. Final employment determinations, hiring decisions, or placement selections are never based solely on automated processing or algorithmic analysis. Every candidate outcome involves meaningful human review, oversight, and final determination by our human recruitment staff in compliance with modern California civil rights and privacy regulations.

Master Inventory of Personal Information Collected

During the 12-month period preceding the effective date of this Policy, the Company has collected, and will continue to collect, the following statutory categories of Personal Information and Sensitive Personal Information:

Statutory PI Category Data Elements Captured Statutory Source Operational Purpose Retention Protocol
A. Identifiers Legal name, unique personal identifier, IP address, corporate/personal email, physical mailing address, telephone markers. Direct user form inputs; automated digital network handshake logs. Fulfilling service requests, authenticating portal access, and routing transaction records. Active engagement plus 7 years post-termination for corporate tax and financial audits.
B. Professional & Candidate Data Resumes, employment records, professional licenses, transcripts, references, interview notations. Direct candidate input, professional references, and academic registries. Evaluating qualifications for active or future client placement opportunities. Retained for as long as necessary to facilitate placement options or until a deletion command is executed.
C. Sensitive Personal Information (SPI) Social security numbers, passports, visa documents, work authorizations, portal login passwords. Secure, encrypted user uploads via specialized onboarding pathways. Verifying statutory right to work, processing payroll taxes, and securing system access controls. Destroyed immediately upon expiration of statutory federal/state employment retention laws.
D. Internet or Network Activity Browsing histories, clickstream analytics, internal search queries within job boards, and email read logs. Automatic data capture through browser cookies, web beacons, and pixels. Optimizing platform layouts, monitoring server firewalls, and debugging application errors. 14 months maximum from the date of the initial digital session.

California Consumer Privacy Rights (CCPA/CPRA)

If you are a resident of the State of California, you hold the following non-waivable statutory rights regarding your personal data under Civil Code § 1798.100 et seq.:

  • The Right to Know and Access: You possess the right to demand disclosure regarding what categories and specific pieces of Personal Information we have collected, sold, shared, or disclosed about you, tracking historical data elements from January 1, 2022, forward.
  • The Right to Delete: You have the right to request the deletion of Personal Information collected directly from you, subject to explicit statutory exceptions (such as open legal representation, active transactional retention, statutory payroll recording, or fraud prevention).
  • The Right to Correct Inaccurate Data: You maintain the right to enforce the correction of inaccurate or incomplete personal or professional data elements within our internal and downstream databases.
  • The Right to Opt-Out of Sale or Sharing: You have the right to direct us to stop selling or sharing your Personal Information for cross-context behavioral advertising. We do not sell data for money; however, our use of analytical or marketing tracking technologies triggers a statutory “Sharing” classification, which you can block.
  • The Right to Limit the Use of Sensitive Personal Information: We only process SPI within the strict boundaries of CCPA Regulation § 7027(m) for foundational operational purposes (such as verification of work eligibility or payroll execution). Because we do not leverage SPI to infer distinct consumer traits for marketing, an explicit “Right to Limit” interface button is not legally mandated on our platforms.

Non-Discrimination and Non-Retaliation Mandate

We strictly prohibit any form of differentiation, discrimination, or corporate retaliation against any individual exercising their statutory rights under the CCPA/CPRA. For job applicants, candidates, and placed contractors, this means:

  • We will never deny you access to our candidate talent pools, career placement services, or professional legal and consulting resources.
  • We will not prioritize, deprioritize, or modify the status of your active application files based on your data privacy choices.
  • We will not alter, manipulate, or suggest separate compensation benchmarks, contract rates, or benefit models with corporate client networks based on your choice to limit data processing or execute deletion commands.

Formal Verification, Request Intake, and Response Standards

To execute your Right to Know, Delete, or Correct, you must submit a verifiable consumer request through one of our monitored regulatory intake pathways:

  1. Electronic Mail Submission: Send an email titled “CCPA Statutory Privacy Rights Request” to our compliance desk at Cheryl.Underwood@bcsmis.com
  2. Physical Mail / Verification Processing: Submit a written inquiry to our administrative office:
    5808 Communications Pkwy, Plano, TX 75093

A. Identity Verification Thresholds

To eliminate data spoofing or identity theft, requests must clear explicit verification protocols. For standard disclosures, a Two-Point Match against our internal logs (such as verifying a current email and telephone record) is required. For high-risk requests (such as data deletion or the release of granular information), a Three-Point Match combined with a signed declaration under penalty of perjury stating that you are the specific individual whose data is the subject of the request is mandatory. Authorized agents registered with the California Secretary of State must present signed, notarized documentation proving explicit proxy authorization before data processing.

B. Response Timing, Format, and Delivery Mandates

Our compliance staff adheres to strict statutory response processing schedules:

  • Acknowledgment: Formal acknowledgment of request receipt will occur within 10 business days, detailing verification tracking parameters.
  • Substantive Response: A complete, final substantive answer will be delivered within 45 calendar days from the initial ingestion date.
  • Technical Extensions: If exceptional complexity or massive data volume necessitates an extension, we will notify you within the initial 45-day window, state the explicit technical justification for the delay, and extend our response window by an additional 45 days, up to a firm regulatory maximum of 90 calendar days.
  • Portability and Formatting: All data disclosures are provided completely free of charge. Records will be exported in a portable, easily legible, and structurally organized digital layout (such as an encrypted, structured PDF or universal CSV data schema) to allow frictionless data transfer to external entities. You may execute a Right to Know request up to two times within any rolling 12-month period without administrative fee exposure.

Cookies and Automated Tracking Technologies Policy

Our digital platforms leverage cookies, tracking pixels, local storage objects (LSOs), and web beacons to automatically track system configurations, map navigational flows, and analyze infrastructure traffic metrics.

  • Strictly Necessary Cookies: Cryptographically required for platform security, user session stability, firewall optimization, and active login state preservation. These cannot be deactivated and do not track commercial behavioral characteristics.
  • Performance & Analytics Cookies: Used to track aggregated, anonymous metrics regarding visitor volumes, bounce rates, and broken hyperlinks. These cookies are optional and require user authorization.
  • Targeting & Cross-Context Behavioral Advertising Cookies: Placed by third-party digital marketing platforms to map user interactions across independent web domains, building consumer profiles to deliver targeted advertising on external sites. These cookies represent a “Share” of information and are subject to immediate consumer opt-out.

Automated Symmetrical Privacy Enforcement and GPC Processing

Our platform architectural designs implement complete parity regarding cookie and data choices to eliminate dark patterns and guarantee total individual data autonomy.

A. Symmetrical Interface Design

The interactive choices to “Accept All Cookies” and “Reject All Cookies” (or “Opt-Out”) are displayed using completely identical visual parameters. The control buttons utilize identical font families, text sizes, background weights, border borders, and color contrast scales. This parity ensures that protecting your data privacy is just as accessible and immediate as consenting to tracking, with no multi-layered menus or visual misdirection employed.

B. Real-Time Global Privacy Control (GPC) Enforcement

Our platform infrastructure is configured to scan for and process Global Privacy Control (GPC) browser broadcast signals automatically. When your browser or privacy plugin transmits a valid GPC token:

  1. Our platform processes the signal as a definitive, lawful instruction to opt-out of all targeting and cross-context behavioral tracking.
  2. All third-party data tracking pixels, analytics scripts, and behavioral ad-network scripts are blocked instantly at the browser-rendering layer.
  3. Our website dynamically displays an explicit status notification in the footer or header confirming enforcement:
🟢 Opt-Out Request Honored:
Our platform has successfully detected your browser-level Global Privacy Control (GPC) signal. Deployed tracking, profiling, and third-party data sharing mechanisms have been automatically deactivated for this active browser session.

Enterprise Data Security Protocols and Institutional Mandates

We enforce strict structural security procedures designed to safeguard Personal Information and Sensitive Personal Information from unauthorized access, loss, or alteration. All data in transit across our internal portfolios or external client platforms is protected using Transport Layer Security (TLS 1.3) protocols. Data at rest within our applicant tracking systems (ATS), practice management portals, and cloud file architectures is secured under AES-256 standard cryptographic encryption. System access controls are limited via the Principle of Least Privilege (PoLP) and require multi-factor authentication (MFA) across all professional staff nodes. While no digital infrastructure can boast absolute immunity from threat actors, we run structured vulnerability assessments and log reviews to maximize operational security.

Contact and Regulatory Administration

For questions regarding the legal interpretations, data processing architectures, or operational components of this Policy, contact our office directly:

Dianne Ferguson
Managing Director
Business Control Systems, LP
972.241.8392

Cheryl.Underwood@bcsmis.com