Privacy Policy | Learn More About Our Privacy Practices — Information Security Kentucky, LLC

PRIVACY POLICY
Information Security Kentucky, LLC
Last updated: [DATE]
Effective date: [DATE]
This Privacy Policy describes how Information Security Kentucky, LLC ("we," "us," or "our") collects, uses, and discloses information in connection with:

The VaultGuard Apps family of cybersecurity software, including VaultGuard Backup and any other VaultGuard-branded applications now or hereafter offered (collectively, the "Software");
Our cybersecurity and backup services for businesses (the "Services"); and
Our website at informationsecuritykentucky.com (the "Website").

The Software, Services, and Website are referred to collectively as the "Offerings."
We have written this policy to be specific rather than generic. We tell you exactly what leaves your computer, where it goes, and what happens to it. If anything here is unclear, email us at customerservice@informationsecuritykentucky.com and we will explain it.

1. The short version
For VaultGuard App subscribers: your backup contents go from your source drive to whatever destination you choose — typically a folder synced to your own cloud storage account. We do not see the contents of your backups at any point. The cloud storage account is yours, the cloud provider is your choice, and we have no access to it.
For Tier 2 Services clients in central Kentucky: as part of the Tier 2 service, we maintain a managed off-site copy of your backups on a cloud account we operate. This means your backup data does pass through our infrastructure for that third copy. The full disclosure is in Section 2(C) below.
A small amount of operational information also leaves your computer when you use the Offerings. Specifically:
(a) License validation: your license key and a hardware fingerprint are transmitted to our license validation infrastructure on a periodic basis to confirm your subscription is active.
(b) Email alerts (only if you enable them): when a VaultGuard App sends you an email alert about an event, the alert is routed through our email relay, which means the contents of those alert emails pass through our infrastructure on the way to your inbox.
(c) Two-factor authentication setup (only if you enable 2FA): during initial 2FA setup, the Software requests a QR code image from a third-party QR generation service.
(d) Services engagements: if you become a Services client, we receive whatever business and system information you share with us in the course of our work together. Tier 2 Services clients additionally have backup contents handled by our managed off-site copy infrastructure (see Section 2(C)).
(e) Website use: browsing our website, signing up for an account, paying for a subscription, and contacting customer service all involve standard collection of information described in Section 2(B) below.
The rest of this policy describes each of these in detail.

2. What we collect
A. Information collected through the VaultGuard Apps
License key and hardware fingerprint. When you activate a VaultGuard App and on a periodic basis afterward, the Software transmits the following to our license validation infrastructure:

Your license key (issued to you when you subscribed)
A "hardware fingerprint" derived by concatenating your computer's motherboard serial number and CPU identifier
Your IP address (incidentally, as part of the network connection)

The hardware fingerprint is used to bind a license to a specific device. The fingerprint is not a name, address, account, or anything that identifies you personally — it identifies a particular physical computer.
Email alert contents. If you enable email alerts in the Software's configuration, then when the Software sends an alert (for example, "Backup completed successfully" or "Drive health warning on E:"), the alert is sent to our email relay, which then forwards it to your chosen recipient email address. The email contains:

A subject line you (or the Software) selected
The body of the alert, which may include: backup status, error messages, file paths, drive identifiers, machine name, your "client name" field (a label you set during configuration), and the date and time of the event
The recipient address you chose

If you do not want this information passing through our infrastructure, you can disable email alerts in the Software's configuration. We are evaluating an option to allow customers to configure their own SMTP server directly; if you would find that useful, let us know.
Two-factor authentication QR codes. If you enable two-factor authentication (2FA), the Software generates a TOTP secret on your computer and then requests a QR code image from api.qrserver.com, a third-party service operated by Goqr.me. The TOTP secret is included in the request URL so that the QR code image returned will encode it. After initial setup, no further requests are sent to this service.

Honest note: Sending a TOTP secret to any third-party service is not best practice, even briefly. We are working to replace this with local QR code generation, which would keep the TOTP secret entirely on your computer. Until that is shipped, users with strict security requirements should not enable 2FA in the Software, or should set it up in an environment they consider acceptable for that one-time secret transmission.

Local logs. The Software writes detailed logs to C:\ProgramData\VaultGuardBackup\ (and similar locations for future VaultGuard Apps) on your computer. These logs include backup events, errors, configuration changes, security events (failed passphrase attempts, integrity check results), and similar diagnostic information. Local logs do not leave your computer unless you choose to send them to us as part of a customer service request.
Data file contents (for VaultGuard App subscribers). The Software reads files from your computer to back them up, monitor them, or otherwise process them as the specific VaultGuard App is designed to do. For App subscribers, the contents of those files are never transmitted to us. They go from your source drive to whatever destination you have chosen — an external drive, a network share, or a cloud-sync folder under your control (whichever cloud provider you prefer). We have no access to your files at any point.
(Tier 2 Services clients: see Section 2(C) for an important difference in how the third backup copy is handled.)
B. Information collected through the Website
When you use the Website, we collect:

Account information you provide when you create an account or buy a subscription: your name, email address, business name (optional), and billing address.
Payment information is processed by our payment processor (Stripe Payments, operated by Stripe, Inc.). We receive transaction confirmations and limited information (the last four digits of your card, expiration date, billing address) but we do not see or store your full card number.
Customer service communications. When you email us for help, we receive whatever you choose to send: your message, attachments, and any system information you include.
Server logs. Our website host records standard web server information, including your IP address, browser type, pages visited, and the date and time of each visit.
Cookies. Our website uses cookies to maintain your session if you log in, and to remember basic preferences. We do not currently use third-party advertising or behavioral tracking cookies. If we add analytics cookies in the future, we will update this policy and provide a cookie-consent mechanism where required.

C. Information collected through Services engagements
If you become a Services client (a small business in central Kentucky engaging us for cybersecurity, backup, or related services under our Tier 1 or Tier 2 service plans), we will receive the information necessary to perform the work, which may include:

Your business name, contact information, and billing details
System configuration information you choose to share with us
Network diagrams, account inventories, and similar technical documentation
Information necessary to set up backup, monitoring, or other infrastructure on your behalf

This information is governed by the Master Service Agreement signed at the start of the engagement, which includes confidentiality obligations on our part.
Important — managed off-site backup copy for Tier 2 clients. The Tier 2 service plan includes a three-layer backup architecture: (1) a local copy on an encrypted external drive at your business; (2) a cloud copy synced through your business's own cloud account; and (3) an off-site copy maintained by us on cloud storage we operate. This third copy means that as a Tier 2 client, your backup contents do pass through our infrastructure and are stored on cloud storage we manage — currently provided by Google LLC's Google Drive service.
What this means in practice:

We have technical access to the third backup copy in order to maintain it, monitor its integrity, and assist with restore operations
Your data is stored encrypted in transit (TLS 1.2+) and at rest within Google Drive's infrastructure
We do not access the contents of your backup files in the normal course of business — we manage the storage layer, not the data itself. Access to the file contents would only occur if you specifically authorized it (for example, during a recovery operation we are performing on your behalf)
The third-copy infrastructure provider is currently Google LLC. If we change providers, we will give Tier 2 clients written notice at least thirty (30) days in advance
This managed off-site copy is not part of the VaultGuard App subscription product — it is exclusively a Tier 2 services deliverable

Tier 1 Services clients and VaultGuard App subscribers do not have data passing through our managed off-site infrastructure.
We do not access the contents of your customer files, patient records, financial records, or other sensitive business data unless doing so is specifically required by the work and authorized by you.
D. What we don't collect
For VaultGuard App subscribers and Tier 1 Services clients, we do not collect:

The contents of your backups or other files processed by the Software
The contents of files on your computer, beyond the limited metadata described above
Your computer's screen, keystrokes, or activity outside the Software
Browsing history outside our Website
Information about other software running on your computer
Location data beyond what is inferable from your IP address

For Tier 2 Services clients, the same list applies except that backup contents are handled through our managed off-site copy infrastructure as described in Section 2(C). All other items in this list still apply — we still do not collect screen activity, keystrokes, browsing history, or other software information.

3. Third parties we share information with
We use a small number of third-party service providers to operate the Offerings. Each provider receives only the information it needs to perform its function. We do not sell or rent personal information to anyone.
Keygen, Inc. (Keygen.sh) — License validation infrastructure.
Receives: your license key, hardware fingerprint, and IP address.
Purpose: validating your subscription.
Privacy policy: https://keygen.sh/privacy/
Render, Inc. (Render.com) — Hosts our license validation relay and email alert relay.
Receives: any data passing through those relays, including license keys, hardware fingerprints, alert email contents, and IP addresses.
Purpose: providing infrastructure for our backend services.
Privacy policy: https://render.com/privacy
Stripe, Inc. — Payment processor.
Receives: your name, billing address, email, and payment card information.
Purpose: processing subscription payments.
Privacy policy: https://stripe.com/privacy
Goqr.me (api.qrserver.com) — QR code rendering for 2FA setup.
Receives: your TOTP secret (one time, only during 2FA setup).
Purpose: generating the QR code image you scan with your authenticator app.
Privacy policy: https://goqr.me/api/
Squarespace, Inc. — Website hosting.
Receives: standard web server data and any information you submit through forms on our website.
Purpose: hosting and operating the Website.
Privacy policy: https://www.squarespace.com/privacy
Google LLC (Gmail / Google Workspace) — Our email infrastructure.
Receives: any email correspondence with us.
Purpose: standard business email.
Privacy policy: https://policies.google.com/privacy
Google LLC (Google Drive) — Storage infrastructure for the Tier 2 managed off-site backup copy (applies only to Tier 2 Services clients).
Receives: encrypted backup files we store on behalf of Tier 2 clients.
Purpose: providing the off-site cloud storage layer for the Tier 2 three-layer backup architecture.
Privacy policy: https://policies.google.com/privacy
We may also disclose information when we are legally required to do so (subpoena, court order, valid law enforcement request) or when we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.
In the event of a merger, acquisition, or sale of substantially all of our assets, customer information may be transferred to the acquiring party as part of that transaction, subject to the same privacy commitments described in this policy.

4. How we use information
We use the information we collect to:

Operate the Offerings, including validating subscriptions and routing email alerts
Provide cybersecurity services to clients under signed Master Service Agreements
Process payments and manage your account
Provide customer support and respond to your inquiries
Send you transactional emails about your account (receipts, renewal notices, security notifications)
Detect, prevent, and respond to fraud, abuse, and security incidents
Comply with legal obligations
Improve the Software based on aggregated, non-identifying patterns

We do not use your information to build advertising profiles, train machine learning models, or sell to data brokers. None of those things happen.

5. How long we keep information
After the retention period ends, we delete or anonymize the information.
Retention periods:

Account and subscription records: For the life of your account, plus seven (7) years after closure for tax and accounting purposes
Payment records: Seven (7) years (legal record-keeping requirement)
Services client records (under Master Service Agreement): Per the MSA, generally seven (7) years after engagement ends
License validation logs: Ninety (90) days
Email relay logs: Thirty (30) days
Email alert contents passing through the relay: Not persistently stored beyond the time required to deliver the message; relay logs may briefly retain delivery metadata for up to thirty (30) days for troubleshooting
Customer service emails: Three (3) years from the close of the matter, or as long as your account is active, whichever is shorter
Website server logs: Ninety (90) days


6. How we protect information
We use commercially reasonable technical and organizational measures to protect the information we hold:

All transmissions between the Software and our infrastructure are encrypted using TLS 1.2 or higher
License validation requests are authenticated with API keys
Customer data on our infrastructure is stored on encrypted disks
Access to customer data is limited to the personnel and systems that need it
We use strong, unique credentials for all accounts that access customer data
We follow the principle of least privilege

No security measure is perfect. If we ever experience a security incident affecting your information, we will notify you in accordance with applicable law, typically without unreasonable delay and in any event within the timeframes required by Kentucky law (KRS 365.732) or any other applicable state or federal breach-notification law.

7. Children
The Offerings are not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If we learn that we have collected information from a child under 13, we will delete it. If you believe a child has provided us information, please contact us at customerservice@informationsecuritykentucky.com.

8. Your privacy rights
Depending on where you live, you may have specific rights regarding your personal information.
A. All users
Regardless of where you live, you may at any time:

Access the personal information we hold about you
Correct inaccuracies in your personal information
Delete your account and associated information (subject to retention requirements for billing records)
Export a copy of your personal information in a machine-readable format
Opt out of marketing emails (transactional emails about your account, renewals, and security cannot be opted out of while your account is active)

To exercise any of these rights, email customerservice@informationsecuritykentucky.com from the email address associated with your account. We will respond within thirty (30) days. We may need to verify your identity before fulfilling certain requests.
B. California residents
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), including:

The right to know what categories of personal information we collect, the sources of that information, the business purposes for collecting it, and the third parties with whom we share it (all described in this policy)
The right to request deletion of personal information, subject to legal exceptions
The right to correct inaccurate personal information
The right to non-discrimination for exercising your rights

We do not sell or "share" personal information as those terms are defined under California law. We do not have a "Do Not Sell or Share My Personal Information" button because there is nothing to opt out of.
To exercise your California rights, email customerservice@informationsecuritykentucky.com.
C. Residents of other states with privacy laws
Residents of Virginia, Colorado, Connecticut, Utah, Texas, and other states with comprehensive privacy laws have similar rights to access, correct, delete, and obtain a copy of personal information. Email customerservice@informationsecuritykentucky.com to exercise these rights. We do not engage in targeted advertising or profiling that produces legal or similarly significant effects.
D. Residents of the European Economic Area, United Kingdom, and Switzerland
If you are in the EEA, UK, or Switzerland and the General Data Protection Regulation (GDPR) or UK GDPR applies to you, you have additional rights including the rights to access, rectification, erasure, restriction of processing, data portability, and objection to processing. The legal bases on which we process your personal information are: (a) performance of our contract with you (subscription services), (b) compliance with legal obligations, and (c) our legitimate interests in operating and securing the Offerings.
You also have the right to lodge a complaint with your local data protection authority.
To exercise any of these rights, email customerservice@informationsecuritykentucky.com.

9. Authorized agents
You may designate an authorized agent to exercise your privacy rights on your behalf. We will require written authorization signed by you, and we may verify your identity directly before fulfilling requests submitted by an agent.

10. International users
The Offerings are operated from the United States. If you access the Offerings from outside the United States, your information will be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your country. By using the Offerings, you consent to this transfer.
For users in the EEA, UK, and Switzerland: we rely on Standard Contractual Clauses approved by the European Commission for international transfers, where applicable, and we apply supplementary safeguards as necessary.

11. Do Not Track
Some web browsers transmit a "Do Not Track" signal. There is no industry consensus on how websites should respond to such signals. Our Website does not currently respond to Do Not Track signals, but we also do not engage in cross-site behavioral tracking.

12. Changes to this policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify subscribers by email at least thirty (30) days before the changes take effect, and we will post the updated policy on our Website with a new "Last updated" date. Your continued use of the Offerings after the effective date of changes constitutes acceptance of the updated policy.
We will preserve previous versions of this policy in a publicly accessible archive at informationsecuritykentucky.com/legal/privacy/archive so you can see what the policy said at any past point in time.

13. Contact us
Questions, complaints, or rights requests:
Information Security Kentucky, LLC
Attn: Privacy
1100 Innovation Way Apt 3
Radcliff, KY 40160
United States
Email: customerservice@informationsecuritykentucky.com
Phone: (270) 250-3457
We aim to respond to all privacy inquiries within five (5) business days.