Privacy
Policy.Every category of personal data the firm collects, listed with its lawful basis, retention period, and the rights you hold over it. Written to comply with the strictest of the applicable frameworks rather than regionally forking the language.
We write to GDPR & CCPA. The rest fits inside.
Who controls
your data,and what this covers.
Bespoke Business Development is the data controller for personal data collected through bespoke-business.com, its subdomains, the Client Portal, and the operational systems used in delivery. This policy describes what is collected, why, for how long, and how to act on the rights you hold over it.
- Controller
- Bespoke Business DevelopmentA Florida-incorporated consulting firm. Headquartered in Miami, with offices in nine additional cities.
- Postal Address
- Miami, FL · USAFull mailing address provided on request to privacy@bespoke-business.com.
- DPO Inbox
- privacy@bespoke-business.comHandles every data-subject request and supervisory-authority correspondence.
- Supervisory Authority
- Florida DLA (default)EU residents: the supervisory authority in your member state. UK residents: the ICO.
Six categories
of personal data,nothing else.
The firm collects six discrete categories. Each is listed below with its source, its purpose, and the retention period. Anything not listed is not collected.
| Category | What It Includes | Source | Retention |
|---|---|---|---|
| 01 · IDENTIFIERS | Name, email, phone, company name, role | Forms · email · MSA | 7 yrs post-close |
| 02 · ANALYTICS | Page views, referrer, device type, anonymized IP, session timing | Site instrumentation | 26 months |
| 03 · ENGAGEMENT | Project notes, meeting recordings (with consent), shared documents | Active engagement | 7 yrs post-close |
| 04 · PAYMENT META | Last 4 digits, card brand, billing zip, transaction ID — never the full PAN | Stripe (processor) | 7 yrs (tax) |
| 05 · COMMS | Email correspondence, support tickets, chat transcripts | Direct communication | 3 yrs post-close |
| 06 · TECHNICAL | Cookies, local storage, technical headers — itemized in the Cookie Policy | Browser · cookies | Up to 13 months |
What this policy does not capture.
The firm does not collect special-category data (race, religion, health, genetic, biometric, sexual orientation, political opinion) and does not knowingly process data from minors. If you believe either has happened, write to privacy@bespoke-business.com and the data will be deleted within 30 days of verification.
Why we
can holdeach category.
Under GDPR, every category of personal data must rest on one of six lawful bases. The firm relies on three: consent, contract, and legitimate interest. The basis for each category is named below.
- Identifiers
- Contract & Legitimate InterestNecessary to enter and perform the engagement; legitimate interest for prospect outreach.
- Analytics
- Consent · Legitimate InterestConsent via cookie banner for non-essential analytics; legitimate interest for aggregated server-side metrics.
- Engagement Data
- ContractNecessary for the performance of the contract you have entered into with the firm.
- Payment Metadata
- Contract & Legal ObligationRequired to process payment and to satisfy tax-record requirements.
- Communications
- Legitimate Interest & ContractOperating the relationship; documenting decisions; quality assurance.
- Technical Data
- Consent · Legitimate InterestEssential cookies on legitimate interest; non-essential cookies on opt-in consent.
What we
actually dowith it.
Personal data is used to deliver the engagement, operate the business, communicate with you, and comply with the law. We do not sell, rent, or trade personal data — not to advertisers, brokers, or affiliates.
Deliver the engagement
Identify you as a client. Communicate during the work. Issue and reconcile invoices. Store deliverables and project records for the duration of the relationship.
Operate the firm
Internal record-keeping, billing, scheduling, capacity planning, and the firm's lawful business operations. Aggregated, anonymized analytics inform planning decisions.
Communicate & respond
Reply to inquiries. Send transactional notifications (invoices, schedule changes, deliverable handoffs). Send opt-in newsletters where you have subscribed.
Comply with the law
Tax reporting, record retention, regulatory disclosures, and lawful requests from courts, regulators, or supervisory authorities with proper authority.
Improve the work
Anonymized engagement metrics inform methodology improvements. Identifiable engagement records are never used for product training without express written consent.
What we never do
We do not sell personal data. We do not rent it. We do not trade it to advertisers, data brokers, or affiliates. We do not use it to train third-party AI without explicit consent.
Who else
sees your data,and where it sits.
Personal data is shared only with processors needed to operate the engagement — and only with those processors on terms that contractually bind them to the same standards. International transfers ride on Standard Contractual Clauses or equivalent safeguards.
| Processor | Purpose | Location | Safeguard |
|---|---|---|---|
| STRIPE | Payment processing | USA · EU | DPA · SCCs · PCI DSS |
| HUBSPOT | Form intake & CRM | USA · EU | DPA · SCCs |
| CALENDLY | Scheduling | USA | DPA · SCCs |
| AWS | Hosting · backups | USA (us-east-1) | DPA · SCCs · ISO 27001 |
| GOOGLE WORKSPACE | Email · documents · meetings | USA · EU | DPA · SCCs · ISO 27001 |
| ACCOUNTANT | Tax filings · year-end | USA (Florida) | Confidentiality Agreement |
| EXTERNAL COUNSEL | Specialist legal advice | By jurisdiction | Professional duty · NDA |
INTERNATIONAL TRANSFERS
Where data crosses jurisdictions, the firm relies on Standard Contractual Clauses (SCCs) for EU-to-US flows, the UK International Data Transfer Agreement (IDTA) for UK transfers, and equivalent safeguards elsewhere. SCCs are appended to the MSA on request and travel with international engagements at signature.
LAWFUL DISCLOSURES
The firm responds to lawful requests from courts, regulators, and supervisory authorities. Where notice to the data subject is not legally prohibited, the firm will provide notice before disclosure. The firm does not voluntarily disclose data to law-enforcement agencies absent a properly executed legal instrument.
How long
each thingis kept.
Personal data is retained for the period required to deliver the engagement, plus the period required by law for record-keeping. After that, it is deleted, anonymized, or aggregated. Retention windows are documented per category.
- Identifiers
- 7 years post-engagementTax-record requirement under U.S. federal law. Then purged or anonymized.
- Engagement Records
- 7 years post-engagementIncludes project files, communications, and signed agreements.
- Payment Records
- 7 yearsIRS retention requirement. Held by accountant of record, separately from active client systems.
- Marketing Consents
- Until withdrawnWithdraw at any time via the unsubscribe link or by writing to privacy@.
- Analytics
- 26 monthsThen aggregated to the point of non-identifiability and retained indefinitely.
- Inactive Prospects
- 24 monthsNo activity (open, click, reply) for 24 months triggers automatic purge.
Eight rights,
one inbox,thirty days.
Under GDPR, CCPA, and the equivalent frameworks the firm honors elsewhere, you hold a set of rights over your personal data. Every right is exercised through privacy@bespoke-business.com. Identity is verified; the request is fulfilled within thirty days.
A copy of every piece of personal data the firm holds on you.
Delivered in machine-readable JSON plus a human-readable PDF within 30 days of verification.
privacy@bespoke-business.com →Correction of inaccurate or incomplete personal data.
Submit the correction in writing. Verified updates are applied across systems and confirmed back to you in writing.
privacy@bespoke-business.com →Deletion of personal data, subject to legal retention.
Financial records held for 7 years under tax law. Outside that window, data is purged within 30 days of request.
privacy@bespoke-business.com →Restrict processing while a dispute is resolved.
Pause processing while accuracy or lawful basis is contested. Data remains stored; active processing halts.
privacy@bespoke-business.com →Your data, exported in a commonly used format.
Transferable to another controller. Engagement deliverables exportable any time through the Client Portal.
PORTAL →Object to processing on legitimate-interest grounds.
The firm reviews the objection within 30 days and either suspends processing or explains the overriding interest in writing.
privacy@bespoke-business.com →Withdraw consent at any time, no questions.
Unsubscribe links on every marketing email. Cookie consent revocable via the banner. Other consents revocable in writing.
privacy@bespoke-business.com →Complain to a supervisory authority.
EU residents: your member-state authority. UK: the ICO. California: the CA AG. Florida: the Department of Legal Affairs.
privacy@bespoke-business.com →Every request is acknowledged within 48 hours and fulfilled within 30 days.
Complex requests may extend by 60 additional days with written notice to you explaining the extension. There is no fee for the first request in any 12-month period; subsequent identical requests may carry a reasonable administrative fee under GDPR Article 12(5).
How the
data isprotected.
The firm implements technical and organizational measures appropriate to the risk presented by the data it holds. No system is invulnerable — the measures below reduce exposure and contain damage when something goes wrong.
- Encryption in transit
- TLS 1.2+ everywhereHTTPS forced on all properties. HSTS preloaded.
- Encryption at rest
- AES-256Database storage and backups encrypted by the cloud provider.
- Access controls
- Role-based · MFATwo-factor required for all internal accounts. Principle of least privilege.
- Backups
- Daily · encrypted30-day retention, encrypted at rest, in a separate region.
- Vulnerability mgmt
- Quarterly reviewDependencies patched on a published cadence; critical patches inside 48 hours.
- Vendor review
- AnnualEvery sub-processor reviewed yearly for DPA, certifications, breach history.
- Breach response
- 72-hour notificationSupervisory authority & affected data subjects within 72 hours of confirmation.
- Training
- Onboarding + annualAll staff complete privacy & security training at onboarding and annually thereafter.
Two categories
we donot collect.
The firm provides services to businesses and the individuals who run them — not to consumers, not to minors. Personal data from anyone under 16 is not knowingly collected, and special-category data is excluded from intake by default.
- Minors (under 16)
- Not knowingly collectedIf a parent or guardian believes a minor has submitted data, write to privacy@ for immediate deletion.
- Special-category data
- Excluded by defaultRace, religion, health, genetic, biometric, sexual orientation, political opinion — not collected.
If your engagement requires processing of special-category data — say so in writing first.
Some engagements (healthcare, regulated industries, accessibility work) may require limited processing of special-category data. When that's the case, the firm signs an explicit data processing addendum covering scope, safeguards, and retention. Default posture is exclusion until that addendum is signed.
How this
policychanges.
Material changes are notified to active clients fourteen days before they take effect, via email and in-portal banner. Non-material edits are logged in the change history at the foot of this document but do not trigger notification.
- Material Change
- 14 days advance noticeEmail to active clients · banner on the policy page · entry in the change log.
- Non-Material Edit
- Logged onlyTypography, formatting, clarifying language that does not alter rights or obligations.
- Prior Versions
- Available on requestEvery prior version retrievable for 7 years. Write to privacy@ for a specific date.
One inbox.
Privacy questionsgo here.
All data-subject requests, regulator correspondence, and questions about this policy route to the Data Protection Officer inbox. Identity is verified before any personal data is released; the SLA is 48-hour acknowledgment and 30-day fulfillment.
Privacy & datarequests.
Access, erasure, rectification, portability, and supervisory-authority correspondence. Identity verification required before personal data is released. Fulfillment within 30 days.
privacy@bespoke-business.com →- Legal
- legal@bespoke-business.comDocument interpretation, takedowns
- Security
- security@bespoke-business.comCoordinated vulnerability disclosure
- Billing
- accounting@bespoke-business.comPayment-record questions
- Cookies
- Cookie Policy →Itemized cookie register & consent
Your data,
your rights,one inbox.
If anything in this policy is unclear, write to privacy@bespoke-business.com. Questions are catalogued; the policy is reviewed twice yearly with the regulators' guidance and the questions that came in.