TECNICODESK – Privacy Policy

1) Overview

This Privacy Policy explains how we collect, use, disclose, and protect personal data in connection with our managed IT and security, help desk, remote support, and consulting services (the "Services") and our websites and portals (the "Sites"). It is designed to meet the Colorado Privacy Act (CPA) and other applicable US privacy requirements. Where our clients are located in other jurisdictions (for example EU or UK), additional terms may apply (see Appendix C: Regional Addenda).

Controller vs. Processor

We act as a Controller for personal data we collect through our Sites, marketing, billing, HR, and account management.
We act as a Processor or Service Provider for personal data we handle on behalf of clients through our PSA, RMM, EDR, backup tools, and remote support. In that case, our processing is governed by our contract (MSA, SOW, DPA, BAA), and the client is the Controller.

2) Who We Are and How to Contact Us

Legal entity: Tecnico Desk LLC
Mailing address: 1905 Sherman Street, Ste 200 2250, Denver, CO 80203, United States
Privacy contact: privacy@tecnicodesk.com
Data Protection or Privacy Officer (if appointed): [Name/Title]

3) What Personal Data We Collect (by context)

A. Sites and Marketing (Controller)
Identifiers (name, email, phone), business contact info, device and usage data (IP, cookies), form submissions, event or webinar registrations, support inquiries.

B. Clients and End Users (Processor)
Business contact details, ticket and asset metadata, device identifiers, log and telemetry data, configuration or state data, limited content of files where necessary for support, and security signals (alerts and detections) from tools you authorize us to use. We do not need full customer lists unless required for the Services.

C. Remote Support and Monitoring
Session metadata (time, technician, device), screen content visible during a session (and recordings only if enabled), keystroke or command history necessary to troubleshoot, and system health metrics.

D. Sensitive Data
We avoid processing sensitive personal data. If Services require it (for example PHI under HIPAA or financial data under GLBA), we process only under contract and with appropriate safeguards (see Section 9 and your DPA or BAA).

4) Purposes of Processing

Delivering and supporting the Services, administering accounts, and authenticating users.
Securing environments (patching, EDR or MDR, backup and restore, threat detection).
Service quality and operations (ticketing, QA, service analytics, capacity planning).
Business operations (billing, audits, compliance).
No sale of personal data. We also do not use personal data for targeted advertising without a lawful basis and required notices or opt outs.

5) Legal Bases or Authority

CPA (Colorado): We process as a Controller under legitimate and disclosed purposes and offer statutory rights and opt outs (Sections 10 and 11).
Processor role: We process only on documented instructions from the Controller per the MSA, SOW, DPA, or BAA.
Other frameworks: Where GDPR or UK GDPR applies, our legal bases may include contract performance, legitimate interests, or consent (see Appendix C).

6) How We Use AI

We use enterprise AI tools (for example Microsoft Copilot for Microsoft 365, Google Gemini, and OpenAI ChatGPT) to assist with ticket triage, knowledge drafting, and code or script suggestions under strict controls (see our AI Usage Policy). We do not input credentials or unredacted regulated data into conversational interfaces. For restricted data, we use API based workflows with zero data retention and regional controls where available. Human review is required for all client facing outputs.

7) Cookies, Analytics and Tracking

We use necessary cookies and, where configured, analytics (for example privacy centric tools). If we use tracking that could constitute targeted advertising, we will provide a clear notice and honor opt out rights (including recognized universal opt out signals). For web forms and marketing operations we use HubSpot and Formspree (see Appendix B). See our Cookie Notice for details.

8) Disclosures of Personal Data

Service providers or sub processors (hosting, PSA or RMM or EDR or backup, email or security gateways, identity providers).
Clients (Controllers) when we act as Processor, consistent with their instructions.
Legal and safety recipients where required by law or to protect rights, safety, and security.

We require written agreements with sub processors and maintain an updated Sub processor List (Appendix B).

9) Security

We maintain a written security program (access controls, MFA and SSO, encryption in transit and at rest where feasible, EDR, vulnerability and patching, network segmentation, backup and BCDR testing, logging and monitoring, secure SDLC for scripts). We train staff and follow least privilege principles. For more detail, see our Security Overview and the AI Usage Policy.

10) Your Rights (Colorado Privacy Act)

Colorado residents (acting in an individual or household context) have the right to access, correct, delete, and obtain a portable copy of personal data we control, and to opt out of targeted advertising, the sale of personal data, and certain profiling. We will not discriminate against you for exercising your rights. If we deny your request, you may submit an appeal. If denied again, we will inform you how to contact the Colorado Attorney General.

How to exercise your rights: Submit a request at [link or form] or email privacy@tecnicodesk.com. We will verify your identity and respond within required timeframes. Authorized agents may submit requests as permitted by law.

Note on B2B or Employment Data:

Some privacy rights do not apply to individuals acting in a commercial or employment context. For client employees' data we handle as a Processor, please direct requests to your employer (the Controller). We will assist the Controller as required by our contract.

11) Opt Outs and Universal Signals

Where applicable, we honor browser or device level universal opt out signals (for example Global Privacy Control) for targeted advertising, sale, or profiling, and provide in product or page level opt out controls.

12) Data Retention

Ticketing or PSA records: 2 years
Device or telemetry logs (security logs): 90 days
Remote session recordings: Off by default. If enabled for a client, retention per client SOW (typically 30 to 90 days).
Backups: Per client SOW and platform policy (rolling retention, US region).

We retain personal data only as long as needed for the purposes above, to comply with law, or as required by contract. When retention ends, we delete or de identify data.

13) Children

Our Sites and Services are not directed to children under 13, and we do not knowingly collect children's personal data except where a client engagement explicitly requires it and is governed by contract and law.

14) International Data Transfers

When data is transferred across borders, we rely on appropriate mechanisms (for example Standard Contractual Clauses) and implement safeguards proportionate to risk. For our own systems, we configure US only processing where the platform provides a residency option (Microsoft 365 and Entra, Intune, Azure, AWS). Edge and CDN security (Cloudflare) operates globally to improve performance and mitigate attacks. We disclose transfer regions in Appendix B.

15) Remote Support and Workforce Privacy

We provide clear notices before starting a remote session, and we obtain consent for any session recordings.
Recording policy: Recordings are off by default. If enabled at a client's request, we disclose retention and access controls in the SOW.
Scope of monitoring: Endpoint agents collect device health and security telemetry strictly for support and threat detection. Scope is documented per client and minimized.
Technician access controls: Technicians authenticate via SSO and MFA with least privilege roles. All administrative access is logged and reviewed.
Audit logs: Remote access events (who, when, which device, actions taken) are retained for 90 days.
Geography: For company managed systems we configure US only data residency where supported (Microsoft 365 and Entra, Intune, Azure, AWS). Edge or CDN security (for example Cloudflare) may process data globally for availability and DDoS mitigation.
Client choice: Clients may restrict recording, clipboard and file transfer, or after hours access by policy.
BYOD: We recommend containerization or MDM with clear separation of work and personal data. Monitoring applies only to the managed workspace or profile.

16) Changes to This Policy

We may update this Policy from time to time. Material changes will be communicated (for example banner or email) with the updated effective date.

Appendix A: How We Process Data as a Processor

Authorized processing: As documented in the MSA, SOW, DPA, or BAA, solely for the Services and subject to confidentiality.
Sub processing: We will maintain a list of sub processors and provide notice of changes.
Security: We implement technical and organizational measures appropriate to risk.
Assistance: We assist Controllers with data subject requests, security events, and DPIAs.
Return or Deletion: Upon contract end or on request, we return or delete personal data within agreed timelines.

Appendix B: Sub Processor List

Vendor	Service	Data types	Region(s)	Retention defaults	Contract	Security attestations
Cloudflare	Edge security (DNS/CDN/WAF)	IP addresses, HTTP request metadata, DNS logs	Global (Anycast)	Per service defaults	DPA/SCCs	SOC 2/ISO 27001
Microsoft Entra ID	Identity & SSO	User identifiers, roles, auth logs	US (tenant region)	90 days auth and security logs (company policy)	Microsoft DPA	SOC 2/ISO 27001
Microsoft Defender	Endpoint security (EDR/AV)	Endpoint telemetry, alerts, file/process metadata	US (tenant region)	90 days security telemetry (company policy)	Microsoft DPA	SOC 2/ISO 27001
Microsoft 365	Productivity & collaboration	Email headers, files/metadata, Teams/SharePoint data	US (tenant region)	Admin set	Microsoft DPA	SOC 2/ISO 27001
Intune (Endpoint Manager)	UEM/MDM	Device identifiers, compliance state, configuration	US (tenant region)	Admin set	Microsoft DPA	SOC 2/ISO 27001
HubSpot	CRM & marketing automation	Lead/contact data, email engagement, web forms	US (tenant)	Admin set	DPA/SCCs	SOC 2/ISO 27001
Formspree	Website forms relay	Form submissions and metadata	US	Admin set	DPA	-
Monday.com	Project management	Project/task data, user identifiers	US (tenant)	Admin set	DPA/SCCs	SOC 2/ISO 27001
Azure (Microsoft)	Cloud infrastructure (internal systems)	Internal business data, logs	US regions	Admin set	DPA/SCCs	SOC 2/ISO 27001
AWS	Cloud infrastructure (internal systems)	Internal business data, logs	US regions	Admin set	DPA/SCCs	SOC 2/ISO 27001

Appendix C: Regional Addenda (use as needed)

GDPR/UK GDPR: lawful bases, DPO, Article 27 representative (if needed), rights and timelines, international transfer addendum.
Sectoral (HIPAA/GLBA/FERPA): include required notices and terms and BAAs where applicable.
State Variants: if serving residents of other states with comparable laws (CA, CT, VA, UT, etc.), add state specific rights and links to submit requests.

Appendix D: CPA Disclosures Snapshot

Categories of personal data processed (by context).
Purposes of processing.
Categories of personal data shared and to whom.
Whether data is sold or used for targeted advertising (and how to opt out).
Profiling in furtherance of decisions with legal or similar effects (if any).
How to exercise rights and appeal decisions.
Retention periods or criteria.
Contact information.