inception-app-prod/NDhhZmU1MmEtOGNmYS00NDNhLTkzMDEtNmU4OWEzMjkwMjlj/content/2023/04/9bf43182ae1745d5bb31a0b0ff34ccba88091bc7.png
303-929-0334
inception-app-prod/NDhhZmU1MmEtOGNmYS00NDNhLTkzMDEtNmU4OWEzMjkwMjlj/content/2023/04/9bf43182ae1745d5bb31a0b0ff34ccba88091bc7.png
inception-app-prod/NDhhZmU1MmEtOGNmYS00NDNhLTkzMDEtNmU4OWEzMjkwMjlj/content/2023/04/9bf43182ae1745d5bb31a0b0ff34ccba88091bc7.png

Privacy Policy

  1. Describing how the business will implement and maintain reasonable security procedures and practices to protect PII; T Cole Realty LLC DATA PROTECTION POLICY Data Protection Policy prepared for T Cole Realty LLC 2 © 2019 Frascona, Joiner, Goodman and Greenstein, P.C., 4750 Table Mesa Drive Boulder, CO 80305 (303) 494-3000 Initials_______ 2. Providing for the destruction or proper disposal of paper and electronic documents containing PII when they are no longer needed; and 3. Planning for investigation and notification when the business becomes aware that a security breach has or may have occurred. IV. Definition of “Personal Identifying Information” As of the adoption of this Policy, “Personal identifying information” (“P.I.I.”) is defined by Colorado state law as:  A social security number;  An official state or government-issued driver's license or ID card number;  A government passport number;  An employer, student, or military identification number;  A personal identification number (aka a “PIN” number);  A password or pass code;  Biometric data o “Biometric data” means “unique biometric data generated from measurements or analysis of human body characteristics for the purpose of authenticating the individual when he or she accesses an online account” (for example, fingerprints)  A financial transaction device; o “Financial transaction device” means “any instrument or device whether known as a credit card, banking card, debit card, electronic fund transfer card, or guaranteed check card, or account number representing a financial account or affecting the financial interest, standing, or obligation of or to the account holder, that can be used to obtain cash, goods, property, or services or to make financial payments, but shall not include a check” If you are ever unsure about whether something you are using contains PII, please refer to this policy first and then reach out to the Data Protection Coordinator if you have further questions. This Policy applies to all PII collected, maintained, transmitted, stored, retained or otherwise used by the Company regardless of the media on which that information is stored (for example, on computers, servers, laptops, smart phones, or in paper files, correspondence, etc.) and regardless of whether it relates to employees, customers, or any other person. The list below is not exhaustive, but some examples of PII that the Company has that may arise in the regular course of business include:  Social Security Numbers (or Employer Identification Numbers for brokers who have established an entity such as an LLC or S-Corp) and/or bank account information of T Cole Realty LLC DATA PROTECTION POLICY Data Protection Policy prepared for T Cole Realty LLC 3 © 2019 Frascona, Joiner, Goodman and Greenstein, P.C., 4750 Table Mesa Drive Boulder, CO 80305 (303) 494-3000 Initials_______ employees or independent contractors, contained on applications and/or for tax and wage administration purposes.  Bank account information and/or Social Security numbers contained in mortgage documents and closing statements.  A photocopy of a client’s driver’s license, either as a safety precaution when agents leave the office with a new client for the first time or in connection with a notary’s records.  Credit card numbers if a client asks for a broker to coordinate a payment for an inspection, appraisal, etc. V. Guiding Principles When interpreting the policies and procedures described in this Policy, please keep the following principles in mind:  Be aware of what personal information you have in your files and on your computer or other devices.  PII should be acquired and used to the extent it is strictly necessary for a legitimate business purpose of the Company. Keep only what is needed.  PII should not be used for unauthorized purposes.  PII should be stored securely.  PII should not be kept for longer than necessary. Properly dispose of what you no longer need. To summarize: If the Company does not have a legitimate business need for the PII — then do not collect it. If there is a legitimate business need for the information, then keep it only as long as it’s necessary, and keep it reasonably protected. Once that business need is over, then properly dispose of the PII. VI. General Responsibilities for Everyone in the Company A copy of this Policy shall be distributed to each employee1 of the Company who shall, upon receipt of the Policy, acknowledge in writing that he/she has received and read a copy of the Policy. Any new employees hired after the effective date of this Policy shall be provided with a copy and shall acknowledge, in writing, receipt of the Policy. 1 The term “employee” is used throughout this Policy for purposes of convenience only. This Policy should be distributed to and signed by any individuals working for the Company who have access to PII held by the Company, even if such individuals are classified as “independent contractors” or some other designation under applicable law. The delivery of this Policy to any individual working for the Company does not affect and is not intended to affect any individual’s classification status as an employee or otherwise. T Cole Realty LLC DATA PROTECTION POLICY Data Protection Policy prepared for T Cole Realty LLC 4 © 2019 Frascona, Joiner, Goodman and Greenstein, P.C., 4750 Table Mesa Drive Boulder, CO 80305 (303) 494-3000 Initials_______ The amount of PII collected by the Company shall be limited to that amount reasonably necessary to accomplish our legitimate business purposes, or necessary to comply with other state or federal regulations. As a result, if there is a way you can complete a task without acquiring PII, do not ask for it in the first place. If you are given PII and do not need it to complete a task (for example, if you receive a copy of a document for a certain purpose that happens to contain PII such as a client’s social security number, but you do not need the PII contained in that document for that purpose) please permanently redact the PII from that document if possible. Everyone within the Company should strive to support the security measures in place by the Company to safeguard PII. Such measures include access controls (such as individual passwords on computers and smart phones that have access to any PII the Company has), training on the proper handling of PII, and storing records containing PII in secure locations. You may not handle PII inconsistently with the guidelines in this Policy. Anyone violating this Policy may be subject to disciplinary action, up to and including dismissal. When in doubt about anything related to this Policy, please reach out to the Data Protection Coordinator. Access to records containing PII should be limited to those persons who are reasonably required to know such information in order to accomplish a legitimate business purpose or to enable the Company to comply with applicable laws or regulations Anyone who has knowledge of unauthorized access, use or disclosure of PII, or any action or inaction with the Company violating the terms of this Policy, should reach out immediately to the Data Protection Coordinator. When an individual is no longer employed by the Company, access to computer systems should be immediately and permanently blocked; his/her voicemail access, email access, internet access, and passwords shall be invalidated; his/her keys to any buildings, file cabinets, and/or storage areas shall be immediately returned to the Company. The terminated individual must return all records containing PII, in any form, which may at the time of such termination be in the individual’s possession or control (including all such information stored on laptops or other portable devices or media, and in files, records, work papers, etc.). Other Guidelines and Rules:  You may not use PII for any reason unrelated to your job duties.  Employees should keep all PII secure, by taking sensible precautions and by following the data storage and other guidelines below.  PII should be stored in as few places as necessary. T Cole Realty LLC DATA PROTECTION POLICY Data Protection Policy prepared for T Cole Realty LLC 5 © 2019 Frascona, Joiner, Goodman and Greenstein, P.C., 4750 Table Mesa Drive Boulder, CO 80305 (303) 494-3000 Initials_______  Strong passwords should be used for any and all computers or other devices that have the ability to access PII the Company has, and passwords should not be shared.  Paper documents containing any PII should be stored in secure locations when not in use.  PII should not be accessed by or disclosed to unauthorized people.  If records containing PII are no longer required, they should be deleted and disposed of in accordance with the Company’s record retention and destruction policies. o If you have any questions about the Company’s record retention and destruction policies, please contact the Data Protection Coordinator.  Employees should ensure the screens of their computers are locked when left unattended for any significant amount of time.  When traveling away from the office, employees should not leave laptops or other devices with access to PII the Company has unattended in unsecure locations.  People should request help from their supervisor or the Data Protection Coordinator if they are unsure about anything related to this Policy.  If you know or suspect that an incident has occurred that could compromise the security of PII held by the Company, members of the Company should immediately report any information they have regarding that knowledge or suspicion to the Data Protection Coordinator. o Prompt reporting of any such incident to appropriate persons within the Company is important because it maximizes the potential for the Company to be able to: 1) prevent, end, and/or mitigate the effects of any security breach, and 2) rapidly and appropriately evaluate any legal requirements the Company may have in the event of an actual breach, including whether the Company must notify individuals or regulatory authorities. VII. Data Protection Coordinator and Others with Specific Responsibilities These people within the Company have key areas of responsibility:  The Data Protection Coordinator, Tanner Cole, is responsible for: o Handling data protection questions from employees. o Keeping the owners of the Company updated about data protection responsibilities, risks and issues. o Periodically reviewing and, when appropriate, proposing changes to this Policy, as well as any other related policies, to be discussed with the owners of the Company. o Arranging for reasonable data protection training and advice for individuals within the Company who have access to PII. T Cole Realty LLC DATA PROTECTION POLICY Data Protection Policy prepared for T Cole Realty LLC 6 © 2019 Frascona, Joiner, Goodman and Greenstein, P.C., 4750 Table Mesa Drive Boulder, CO 80305 (303) 494-3000 Initials_______  The IT Manager, Tanner Cole, is responsible for: o Evaluating any third-party services the Company is considering using to store or process data or store files that could contain PII, for example cloud computing services, and discussing the same with the owners of the Company. o Ensuring the Company maintains up-to-date firewall protection, reasonably designed to maintain the integrity of any PII, installed on all computer network systems electronically storing PII. o Ensuring the Company maintains up-to-date computer software, including a program or programs with anti-virus, anti-spyware, and anti-malware functions, installed on all computer network systems electronically storing PII. o Ensuring that access to any files that could include electronically stored PII shall be limited to employees using a unique log-in ID and password; and ensuring that re-log-in shall be required when a computer has been inactive for more than a set period of time.  The HR Manager, Tanner Cole, is responsible for: o Safeguarding PII in accordance with the terms of this Policy for employees, independent contractors, or other staff in connection with employment applications and personnel records. o Evaluating any third-party services the Company is using or considering using for things like insurance or other benefits, whenever any such services might include the potential sharing of PII from the Company or its employees, and discussing the same with the owners of the Company.  The Bookkeeper, Tanner Cole, is responsible for: o Safeguarding PII in accordance with the terms of this Policy for employees, independent contractors, or other staff in connection with tax and wage administration purposes. o Evaluating any third-party services the Company is using or considering using for things like billing, payroll, or credit card processing, whenever any such services might include the potential sharing of PII from the Company or its employees or clients, and discussing the same with the owners of the Company. VIII. Data Storage Any specific questions about storing data safely can be directed to the Data Protection Coordinator. When data is stored on paper (these guidelines also apply to data that is usually stored electronically but has been printed out for any reason):  Employees should make sure paper and printouts containing PII are not left unattended where unauthorized people could see them. T Cole Realty LLC DATA PROTECTION POLICY Data Protection Policy prepared for T Cole Realty LLC 7 © 2019 Frascona, Joiner, Goodman and Greenstein, P.C., 4750 Table Mesa Drive Boulder, CO 80305 (303) 494-3000 Initials_______  Paper documents containing PII should be shredded or otherwise disposed of securely when no longer required in accordance with the Company’s record retention and destruction policies.  When not being used, the paper or files containing PII should be kept in a locked filing cabinet or locked room when possible. Any paper files containing PII that are not stored in a locked filing cabinet or locked room should be kept in a building or portion of a building that is always locked when the Company is not open for business.  Access to paper files containing PII should be limited to individuals with a legitimate business need. When data is stored electronically:  Data with PII should only be stored on designated drives and servers, and should not be saved directly to laptops or other devices like tablets or smart phones.  All servers and computers containing data should be protected by approved security software and a firewall. o The Company should run up-to-date anti-virus/anti-spyware/anti-malware programs on individual computers and on servers on the Company’s network.  Strong passwords should be used for any and all computers or other devices that have the ability to access PII the Company has, and passwords should not be shared. IX. Third Parties Whenever the Company needs to share PII with third parties such as an outside accountant, a payroll company, a credit card processor, etc., the Company will choose such service providers carefully. The Company should engage reputable contractors in good standing with applicable regulatory requirements, if any, and undertake appropriate due diligence. The Company’s contracts with such third parties should require them to implement and maintain appropriate security measures to ensure any PII is kept reasonably secure and is used in accordance with the Company’s instructions or as otherwise provided by law. X. Breach Investigations and Notification Under Colorado state law, the Company is required to promptly conduct an investigation when it becomes aware that a “security breach” of certain electronic data may have occurred. As of the adoption of this Policy, a “Security Breach” is defined by Colorado state law as:  “Unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality, or integrity of personal information.” o As of the adoption of this Policy, “encrypted” is defined by Colorado state law as “rendered unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security.” T Cole Realty LLC DATA PROTECTION POLICY Data Protection Policy prepared for T Cole Realty LLC 8 © 2019 Frascona, Joiner, Goodman and Greenstein, P.C., 4750 Table Mesa Drive Boulder, CO 80305 (303) 494-3000 Initials_______ For example, a Security Breach can occur by:  A hacker electronically accessing and acquiring computerized data;  Unauthorized access of a computer network through weak passwords;  Theft of unencrypted data sent through a payment system; or  A briefcase, smartphone, laptop computer, or data storage device containing client files that is stolen or misplaced. The definition of “personal information” for purposes of Colorado’s Notification of Security Breach statute is very similar, but not identical to, the definition of PII discussed above. For purposes of this Policy, “personal information” under Colorado’s Notification of Security Breach statute will be referred to as “Breach PI”. As of the adoption of this Policy, Breach PI is defined as:  A Colorado resident’s username or e-mail address, in combination with a password or security questions and answers, that would permit access to an online account;  A Colorado resident’s account number or credit or debit card number in combination with any required security codes, access code, or password that would permit access to that account; and  A Colorado resident’s first name or first initial and last name in combination with any one of the following: o Social Security number o Driver’s License number or Identification Card number o Student, military, or passport identification number o Medical information o Health insurance identification number o Biometric data  Personal information does not include information that is lawfully made available to the general public from government records or widely distributed media. When it becomes aware that a Security Breach may have occurred, the Company will conduct a good faith and prompt investigation to determine the likelihood that Breach PI has been or will be misused. The Data Protection Coordinator will work with the owners of the Company, along with the IT Manager, HR Manager, Bookkeeper, and any other individuals connected with the Security Breach, to first isolate all affected systems to limit the potential further data loss. After all affected systems have been isolated, the Company will investigate the incident and prepare a report containing the following information:  Date, time, duration, and other basic details related to the Security Breach  How the Security Breach was discovered, including who discovered the Security Breach, what led that person (or persons) to suspect a Security Breach, and how quickly this information was communicated to the Data Protection Coordinator T Cole Realty LLC DATA PROTECTION POLICY Data Protection Policy prepared for T Cole Realty LLC 9 © 2019 Frascona, Joiner, Goodman and Greenstein, P.C., 4750 Table Mesa Drive Boulder, CO 80305 (303) 494-3000 Initials_______  Details about the compromised data that does or may include Breach PII, including: o What types of Breach PII have been or may be compromised o Number of records affected o A list of affected individuals o Whether any compromised data was encrypted (if so, which fields)  Other known details regarding the Security Breach, for example: o Method of breach o Compromised systems o Whether data was deleted, modified, copied and/or viewed  A determination of whether special consultants or other professionals are necessary to perform forensic analysis or otherwise further investigate After the Company conducts its investigation, unless this investigation determines that the misuse of Breach PI has not occurred and is not reasonably likely to occur, the Company will give notice to the affected Colorado residents as soon as reasonably possible, but in any case not later than thirty (30) days after the date at which there is sufficient evidence to conclude that a Security Breach has taken place (unless a law enforcement agency has directed the Company not to send notice, or if longer than 30 days is necessary to determine the scope of the breach and to restore the reasonable integrity of the computerized data system.) The Company will provide notice to any affected Colorado residents in accordance with the notification procedures set forth in C.R.S. § 6-1-716. XI. Destruction and Disposal Policies PII that is no longer needed after the expiration of applicable legal or business processrelated retention periods should be deleted, destroyed, or otherwise properly disposed of. The Company has implemented specific retention and disposal protocols set forth in its File Retention Policy, a copy of which has been attached here as Exhibit A. All members of the Company should review and comply with the requirements included in that File Retention Policy document. XII. Effective Date of this Policy; Future Modifications This Policy may be revised from time to time, and the Company has the maximum discretion permitted by law to interpret, administer, change or modify this Policy. This policy was last revised on May 11, 2023, the “Effective Date”. All of the rules, guidelines, and procedures set forth above shall be implemented as of the Effective Date. This version of the Policy supersedes and replaces any previous version(s) of the Policy that may have been in place prior to the Effective Date. The terms of this Policy cannot be modified by any statements, written or oral, by anyone within the Company absent a formal amendment of this Policy.