Privacy Policy

A privacy policy is a legal document that discloses how an organization collects, processes, stores, shares, and protects personal information obtained from users, visitors, and partners. This page covers the definition and scope of privacy policies as they apply to professionalservicesauthority.com, the mechanisms through which data handling operates, the specific scenarios in which data collection occurs, and the boundaries that govern decisions about data use. Understanding these parameters matters because privacy law in the United States — spanning federal statutes and state-level frameworks like the California Consumer Privacy Act (CCPA, Cal. Civ. Code §1798.100) — imposes enforceable obligations on any entity that handles consumer data at scale.

Definition and scope

A privacy policy functions as both a disclosure mechanism and a legal instrument. It identifies the categories of personal data collected, the purposes for which that data is used, and the rights individuals hold with respect to their information. The Federal Trade Commission (FTC Act, 15 U.S.C. §45) treats deceptive or unfair privacy practices as actionable violations, which means that any gap between a published privacy policy and actual data practices carries regulatory exposure.

The scope of this policy applies to:

1. All pages and subdomains operated under the professionalservicesauthority.com domain
2. Data submitted through contact forms, feedback tools, or partner-facing portals (see Submit Feedback and Contact)
3. Automated data collected via server logs, cookies, and analytics instrumentation
4. Third-party data shared through the Partner Network or affiliate relationships disclosed at Affiliate Disclosure

Personal data within this scope includes IP addresses, browser identifiers, device fingerprints, submitted form fields (name, email, organization), and behavioral analytics tied to session identifiers. Non-personal aggregated data — such as page-level traffic counts without user-level identifiers — falls outside regulated categories under most US frameworks.

How it works

Data collection on professionalservicesauthority.com operates across two functional layers: passive collection and active submission.

Passive collection occurs automatically when a visitor loads any page. Web server logs capture IP addresses, referrer URLs, user-agent strings, and timestamp data. Analytics platforms — operating under data processing agreements that limit secondary use — aggregate this into session-level behavioral data. Cookies placed by analytics or advertising services fall into two categories: strictly necessary cookies (required for site functionality, not subject to consent requirements under most US frameworks) and optional tracking cookies (subject to opt-out rights under statutes like the CCPA).

Active submission occurs when a user fills out a form — for instance, through Advertise, API Access, Careers, or the feedback portal. Submitted fields are stored in managed databases with access controls and retention schedules. Retention periods for active submission data are set by operational need and legal hold obligations, not by default indefinite storage.

Data processed for editorial and research functions — including the methodologies described at Data Methodology — is handled under internal editorial standards that prohibit identification of individuals in published outputs unless the individual is a named public figure acting in a public capacity.

Third-party services embedded in site infrastructure (CDN providers, analytics vendors, advertising networks) operate under their own privacy frameworks. Where those services process personal data on behalf of professionalservicesauthority.com, standard contractual clauses or equivalent data processing agreements govern the relationship.

Common scenarios

Scenario 1 — Organic visitor, no form submission. A reader arrives via search engine, reads a page, and leaves. Passive collection logs apply: IP address, session duration, pages viewed. No personally identifiable submission is created. This data is typically retained in raw log form for 90 days before aggregation strips identifiers.

Scenario 2 — Partner or advertiser inquiry. An organization submits details through Advertise or the partner intake process. Name, email, company, and message content are stored. This data is used exclusively for evaluating the business inquiry and is not sold to third parties.

Scenario 3 — Editorial feedback submission. A reader submits a correction or content note via Submit Feedback or the Corrections Policy pathway. Contact information is used to acknowledge receipt and, if applicable, communicate editorial outcomes. Retention aligns with the editorial record rather than a marketing database.

Scenario 4 — API or content licensing inquiry. Technical and business information submitted through API Access or Content Licensing is processed for service evaluation. These submissions may be shared internally across the network but are not shared with external third parties without explicit consent.

Decision boundaries

Privacy policy decisions — what to collect, retain, share, or delete — are governed by a layered framework that distinguishes between regulatory minimums and operational standards.

Collect vs. not collect. The default principle is data minimization: no category of personal data is collected without a documented purpose. This aligns with the FTC's guidance on reasonable data practices and mirrors the minimization principle codified in the CCPA (Cal. Civ. Code §1798.100(b)).

Retain vs. delete. Operational data is retained only as long as necessary for the stated purpose. Legal hold obligations — triggered by active or anticipated litigation — override standard deletion schedules. Aggregated, de-identified data may be retained indefinitely for research and quality purposes.

Share vs. restrict. Personal data is not sold. Data may be shared with service providers operating under data processing agreements, with regulators under lawful process, or in connection with a corporate transaction such as a merger or acquisition — in which case this policy would be updated and notice provided as required by applicable law.

First-party vs. third-party data. First-party data collected directly from site interactions is distinguished from third-party data sourced through partner integrations. The Trust and Transparency standards and Editorial Standards governing published content apply a parallel separation: sourced data is attributed; user-submitted data is protected.