Data Security & Privacy Policy
Effective Date: February 1, 2021 | Last Updated: March 7, 2025
AirtimeBA and Online Work Solutions (“we,” “us,” “our”) are committed to protecting user data and ensuring compliance with applicable privacy laws, including the General Data Protection Regulation (GDPR) (EU) and the California Consumer Privacy Act (CCPA) (USA).
This policy outlines how we collect, store, process, and protect personal data while maintaining user rights and data security.
Data Collection
We collect the following types of data:
- Personally Identifiable Information (PII): First name, last name, email address (provided by clients).
- Behavioral Data: Verbal behavior observations from meetings (18 behavior behaviors).
- Survey Responses: Responses to five Likert-scale questions on professional development.
We do not use cookies, tracking pixels, or behavioral profiling technologies.
Legal Basis for Data Collection (GDPR Compliance)
- Legitimate Interest: Data is collected to provide professional development services.
- Participant informed consent: Participants provide informed consent before behavioral data is collected.
Data Storage and Processing
Where Is Data Stored?
- Hosted on www.airtimeba.net, maintained by Xecu.net (Frederick, MD, USA).
- Data backups are stored on Xecu.net’s cloud services and offline encrypted drives.
- All data is encrypted at rest and in transit using AES-256 encryption.
Who Has Access?
- Owner and Developer: Have access to backend servers via VPN, SSH, and Google Authenticator 2FA.
- Consultants and Performance Coaches: Have access to cohort-level and anonymized group data but do not have access to individual participant-level data unless explicitly enabled by the Performance Coach.
- Participants: Have access to their own behavior data and individual reports but do not have access to data from other participants.
- Clients: Have access only to anonymized and aggregated cohort-level reports; they do not have access to individual participant data unless explicitly agreed upon.
Data Retention and Deletion
- Data is retained for up to six months for program evaluation and professional development.
- After six months, identifiable participant data is permanently deleted once it has been integrated into anonymized norm data.
- Participants may request access to or deletion of their data at any time.
Security Measures
- Access Protection: Server access is restricted via SSH, OpenVPN, and two-factor authentication (2FA).
- Data Encryption: All stored data is encrypted using AES-256 encryption. Data in transit is protected using TLS 1.2+ encryption.
- Data Backups: Weekly SFTP-encrypted backups are stored on encrypted drives.
- Third-Party Data Sharing: We do not sell, rent, or share personal data with third parties. Limited access is granted only to essential service providers (e.g., cloud hosting, email delivery).
User Rights (GDPR and CCPA Compliance)
Users may:
- Request access to stored personal data.
- Request correction of inaccurate data.
- Request deletion of personal data once it is no longer needed.
- Opt out of data collection under CCPA (for California residents). To make a request, Participants need to inform their Performance coach and the Client.
Data Breach Response
If a data breach occurs:
- Users will be notified within 72 hours, in accordance with GDPR Article 33.
- Immediate security measures will be taken to prevent further risks.
- Affected clients and regulators will be informed, where required by law.
Compliance with GDPR, CCPA, and Other Regulations
- GDPR Compliance (EU Users): Users have the right to be forgotten and the right to data portability. Data processing is lawful, fair, and transparent.
- CCPA Compliance (California Users): Users can request a full record of their stored data and have the right to opt out of data collection and request deletion.
- Other Compliance Considerations: AirtimeBA follows ISO 27001 security frameworks for data protection. Data processing agreements (DPAs) are established with all third-party service providers.
Changes to This Policy
This policy may be updated periodically. Users will be notified at least 14 days in advance of significant changes.
Contact Information
For data privacy concerns or requests, contact: martingross@airtimeba.net (Developer) or andrekotze@airtimeba.com (officer AirtimeBA LLC).