1) Overview
This Privacy Policy explains how we collect, use, disclose, and protect personal data in connection with our managed IT and security services, help desk, remote support, consulting services (the "Services"), and our websites and web forms (the "Sites"). This policy is written to support the Colorado Privacy Act (CPA) and other applicable U.S. privacy requirements. [oai_citation:1‡Colorado General Assembly](https://content.leg.colorado.gov/sites/default/files/2021a_190_signed.pdf)
Controller vs. Processor
- We act as a Controller for personal data we collect through our Sites, marketing, billing, HR, and account management.
- We act as a Processor (or service provider) for personal data we handle on behalf of clients through tools and workflows the client authorizes. In that case, processing is governed by our contract (for example MSA, SOW, DPA, or BAA), and the client is the Controller.
2) Who We Are and How to Contact Us
- Legal entity: Tecnico Desk LLC
- Mailing address: 1905 Sherman Street, Ste 200 2250, Denver, CO 80203, United States
- Privacy contact: privacy@tecnicodesk.com
3) What Personal Data We Collect (by context)
A. Sites and Marketing (Controller)
Identifiers (name, email, phone), business contact info, device and usage data (for example IP address, browser type, and cookie identifiers),
and form submissions.
B. Clients and End Users (Processor)
Business contact details, ticket and asset metadata, device identifiers, logs and telemetry, configuration state data,
and security signals (alerts and detections) from tools the client authorizes. We do not request more data than needed for the Services.
C. Remote Support and Monitoring
Session metadata (time, technician, device), screen content visible during a session, and command or action history necessary to troubleshoot.
Session recordings are off by default and used only when enabled and authorized by the client.
D. Sensitive Data
We aim to avoid processing sensitive data unless it is necessary for the Services and covered by contract.
Where required (for example PHI under HIPAA), we process according to agreed safeguards (see your DPA or BAA).
4) Purposes of Processing
- Delivering and supporting the Services, administering accounts, and authenticating users.
- Securing environments (patching, endpoint protection, backup, and threat detection).
- Service operations (ticketing, quality assurance, and service analytics).
- Business operations (billing, audit support, and compliance documentation as applicable).
- No sale of personal data. We do not use personal data for targeted advertising without required notices and opt-out mechanisms where applicable. [oai_citation:2‡Colorado General Assembly](https://content.leg.colorado.gov/sites/default/files/2021a_190_signed.pdf)
5) Legal Bases or Authority
- Colorado (CPA): We process as a Controller for disclosed purposes and provide consumer rights and opt outs as described below. [oai_citation:3‡Colorado General Assembly](https://content.leg.colorado.gov/sites/default/files/2021a_190_signed.pdf)
- Processor role: We process on documented instructions from the Controller per contract (MSA, SOW, DPA, or BAA).
- Other regions: If other laws apply (for example GDPR), additional terms may be provided in a contract addendum.
6) How We Use AI
We may use enterprise AI features to assist internal workflows such as ticket triage, drafting documentation, and summarization. We do not use conversational AI tools to make autonomous changes inside client environments. Human review is required for client-facing outputs.
We do not intentionally input credentials, secrets, or unredacted regulated data into conversational interfaces. Where a client engagement requires handling regulated data, controls and tooling are defined by contract and scope.
See our AI Usage Policy for additional handling rules.
7) Cookies, Analytics, and Tracking
We use necessary cookies and similar technologies for basic site operation and security. Where we use analytics or marketing tools, we configure them to reduce data collection where feasible.
If our Sites use tracking that qualifies as targeted advertising under applicable law, we provide appropriate notice and opt-out options, and we honor recognized universal opt-out mechanisms where required. [oai_citation:4‡Colorado Secretary of State](https://sos.state.co.us/CCR/DisplayRule.do?action=ruleinfo&ruleId=3396)
8) Disclosures of Personal Data
- Service providers and sub-processors that help us run the Sites and deliver the Services (for example hosting, ticketing, security tools).
- Clients when we act as Processor, consistent with the client’s instructions and contract.
- Legal and safety recipients where required by law or to protect rights, safety, and security.
We maintain written agreements with sub-processors as required and limit access to what is needed to provide services.
9) Security
We maintain a security program designed to reduce risk, including access controls, MFA where appropriate, least-privilege role assignment, monitoring, patching, and incident response practices. Security controls vary by service scope and the client environment.
No security program can guarantee absolute security. We focus on reasonable and proportionate safeguards for the Services we provide.
10) Your Rights (Colorado Privacy Act)
Colorado residents acting in an individual or household context may have the right to access, correct, delete, and obtain a portable copy of personal data we control, and to opt out of targeted advertising, the sale of personal data, and certain profiling. [oai_citation:5‡Colorado General Assembly](https://content.leg.colorado.gov/sites/default/files/2021a_190_signed.pdf)
How to exercise your rights
Email privacy@tecnicodesk.com with your request. We will take reasonable steps to verify identity and respond within required timeframes.
Under the CPA, controllers generally respond within 45 days and may extend once by an additional 45 days when reasonably necessary. Appeals are generally decided within 45 days. [oai_citation:6‡Colorado General Assembly](https://content.leg.colorado.gov/sites/default/files/2021a_190_signed.pdf)
Note on business and employment data
Some privacy rights do not apply to individuals acting in a commercial or employment context. For client employee data we handle as a Processor, direct requests to your employer or the applicable Controller.
11) Opt Outs and Universal Signals
Where applicable, we honor recognized universal opt-out mechanisms for targeted advertising, sale, or profiling, consistent with Colorado requirements and the Colorado AG rules (for example Global Privacy Control where implemented). [oai_citation:7‡Colorado Secretary of State](https://sos.state.co.us/CCR/DisplayRule.do?action=ruleinfo&ruleId=3396)
You can also submit opt-out requests by emailing privacy@tecnicodesk.com.
12) Data Retention
- Ticketing and service records: typically up to 2 years unless contract or law requires longer.
- Device and security telemetry logs: commonly around 90 days, depending on platform and scope.
- Remote session recordings: off by default. If enabled, retention is defined in the client’s SOW (commonly 30 to 90 days).
- Backups: defined per client scope and platform policy.
We retain personal data only as long as needed for the purposes described in this policy, to comply with law, or as required by contract. When retention ends, we delete or de-identify data where feasible.
13) Children
Our Sites and Services are not directed to children under 13, and we do not knowingly collect personal data from children except where a client engagement explicitly requires it and is governed by contract and applicable law.
14) International Data Transfers
When data is transferred across borders, we rely on appropriate mechanisms and safeguards proportionate to risk. Customer data residency is primarily driven by the client environment and scope. Some security and edge services may operate globally to improve availability.
15) Remote Support and Workforce Privacy
- Remote sessions begin only with user authorization or appropriate user notice, depending on the support method.
- Recording is off by default. If enabled, retention and access controls are defined by scope and contract.
- Endpoint agents collect device health and security telemetry for support and threat detection within the agreed service scope.
- Technician access uses least privilege and administrative access is logged.
- Clients may restrict recording, clipboard and file transfer, or after-hours access where supported by the tool.
16) Changes to This Policy
We may update this policy from time to time. If changes are material, we will update the effective date and provide notice where appropriate.
Appendix A: How We Process Data as a Processor
- Authorized processing: As documented in the MSA, SOW, DPA, or BAA, solely for the Services and subject to confidentiality.
- Sub-processing: We maintain a list of key sub-processors and provide notice of changes where required by contract.
- Security: We implement technical and organizational measures appropriate to risk, within the agreed scope.
- Assistance: We assist Controllers with data subject requests and security events as required by contract.
- Return or deletion: Upon contract end or on request, we return or delete personal data within agreed timelines.
Appendix B: Sub-Processor List
The table below is a summary list for transparency. A client-specific sub-processor list and contractual terms are available upon request when applicable.
| Vendor | Service | Data types | Region(s) | Retention defaults | Contract | Security attestations |
|---|---|---|---|---|---|---|
| Cloudflare | Edge security (DNS/CDN/WAF) | IP addresses, HTTP request metadata, DNS logs | Global (Anycast) | Per service defaults | DPA/SCCs | SOC 2/ISO 27001 |
| Microsoft Entra ID | Identity & SSO | User identifiers, roles, auth logs | US (tenant region) | Tenant and policy dependent | Microsoft DPA | SOC 2/ISO 27001 |
| Microsoft Defender | Endpoint security (EDR/AV) | Endpoint telemetry, alerts, file/process metadata | US (tenant region) | Tenant and policy dependent | Microsoft DPA | SOC 2/ISO 27001 |
| Microsoft 365 | Productivity & collaboration | Email and collaboration data per client configuration | US (tenant region) | Admin set | Microsoft DPA | SOC 2/ISO 27001 |
| Intune | UEM/MDM | Device identifiers, compliance state, configuration | US (tenant region) | Admin set | Microsoft DPA | SOC 2/ISO 27001 |
| HubSpot | CRM & marketing | Lead/contact data, email engagement, web forms | Tenant dependent | Admin set | DPA/SCCs | SOC 2/ISO 27001 |
| Formspree | Website forms relay | Form submissions and metadata | US | Admin set | DPA | - |
| Monday.com | Project management | Project/task data, user identifiers | Tenant dependent | Admin set | DPA/SCCs | SOC 2/ISO 27001 |
| Microsoft Azure | Cloud infrastructure (internal) | Internal business data, logs | US regions | Admin set | DPA/SCCs | SOC 2/ISO 27001 |
| AWS | Cloud infrastructure (internal) | Internal business data, logs | US regions | Admin set | DPA/SCCs | SOC 2/ISO 27001 |
Appendix C: Regional Addenda
- GDPR/UK GDPR: contractual terms and addenda can be provided where applicable.
- Sectoral: HIPAA/GLBA/FERPA terms are handled by contract and scope where required.
- Other states: if serving residents of other states with comparable laws, we may provide additional notices and request methods.
Appendix D: CPA Disclosures Snapshot
- Categories of personal data processed (by context).
- Purposes of processing.
- Categories of personal data shared and to whom.
- Whether data is sold or used for targeted advertising (and how to opt out).
- Profiling in furtherance of decisions with legal or similarly significant effects (if any).
- How to exercise rights and appeal decisions.
- Retention periods or criteria.
- Contact information.
This page is provided for transparency and does not, by itself, create contractual obligations. Contractual terms appear in applicable service agreements and addenda.