Privacy Policy
1. Introduction
AJ IT Consulting (“AJ IT Consulting,” “the Company,” “we,” “us,” or “our”) respects the privacy of the individuals and organizations that visit our website, request information about our services, and engage us to manage, secure, host, and support their technology environments. This Privacy Policy explains how we collect, use, disclose, retain, and protect personal information and business information in connection with our managed information technology services and the operation of our website located at https://ajitconsulting.net.
AJ IT Consulting is a California-based Managed IT Services Provider headquartered at 2102 Business Center Drive #130, Irvine, California 92612. We deliver technology consulting and managed services to businesses throughout Southern California and across the United States. Our work places us in a position of trust. Clients rely on us to administer their systems, monitor their networks, secure their endpoints, route their telephone calls, host their websites, and protect their data. We take that responsibility seriously, and this Policy is part of how we honor it.
We have written this Policy to be read and understood by business owners and decision makers, not only by lawyers. Where a legal term is used, we explain it. Where a practice is technical, we describe it in plain language. We encourage you to read the entire document so that you understand what information we handle and the choices available to you.
By accessing our website, communicating with us, requesting a proposal, or receiving services from us, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the practices described here, please do not use our website or submit information to us.
This Privacy Policy addresses how we handle information. It is distinct from our service agreements, which govern the commercial and technical terms of the work we perform. Where a signed services agreement, statement of work, master services agreement, or data processing addendum addresses the treatment of a client’s data, that agreement controls the rights and obligations of the parties with respect to that data, and this Policy serves as general notice of our information practices. Nothing in this Policy is intended to limit any greater protection a client is entitled to under a signed agreement or under applicable law.
2. Purpose of This Privacy Policy
The purpose of this Privacy Policy is to provide clear and complete notice of the information practices of AJ IT Consulting. Specifically, this Policy is intended to:
- Describe the categories of personal information and business information we collect and the sources from which we collect it.
- Explain the business and commercial purposes for which we use information.
- Identify the categories of third parties with whom we may share information and the reasons for that sharing.
- Describe the safeguards we apply to protect information against unauthorized access, use, alteration, and disclosure.
- Explain the privacy rights available to California residents and how to exercise them.
- Clarify the respective responsibilities of AJ IT Consulting and our clients with respect to data handled during the delivery of managed services.
- Set out how we communicate changes to this Policy and how you may contact us with questions or requests.
This Policy reflects our intent to comply with applicable privacy and consumer protection laws, including the California Consumer Privacy Act as amended by the California Privacy Rights Act, the California Online Privacy Protection Act, the Federal Trade Commission Act, the CAN-SPAM Act, and the Telephone Consumer Protection Act. It also reflects generally accepted cybersecurity practices appropriate to a managed services provider.
3. Scope
This Privacy Policy applies to information that AJ IT Consulting collects, receives, or processes in connection with our website, our marketing activities, our sales and onboarding processes, and our delivery of managed services. It applies to the following groups of people and entities:
- Website visitors who browse our website, read our content, or interact with forms, chat features, or downloadable materials.
- Prospective customers who request information, submit inquiries, schedule consultations, or receive proposals and statements of work.
- Existing clients and their authorized personnel who receive managed IT, cybersecurity, voice, cloud, web, and support services from us.
- Vendors and subcontractors who provide goods or services to AJ IT Consulting or who we engage on behalf of clients.
- Other individuals whose information we may receive through our clients, referrals, or business partners in the ordinary course of providing services.
This Policy describes our own privacy practices. When we administer, monitor, host, or support systems on behalf of a client, we generally act as a service provider that processes information at the direction of, and on behalf of, that client. In those situations, the client is responsible for its own privacy notices, consents, and lawful basis for processing, and the terms of our services agreement with the client govern how we handle data within that client environment. This Policy supplements, and does not replace, those agreements.
This Policy does not apply to the privacy practices of third parties, including the websites, platforms, and services of vendors referenced in this document, or the websites we host and develop for clients, each of which maintains its own privacy practices.
4. Definitions
To make this Policy easier to follow, the following terms have the meanings set out below:
- Personal Information means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household, as defined under the California Consumer Privacy Act.
- Business Information means information relating to an organization, such as company name, business contact details, account information, technical configuration, and service records, which may or may not constitute personal information depending on context.
- Sensitive Personal Information means the subset of personal information that California law treats as sensitive, including account log-in credentials in combination with access information, government identifiers, precise geolocation, and the contents of certain communications, as described in Section 20.
- Client or Customer means a business or organization that has engaged AJ IT Consulting to provide services under a services agreement, statement of work, or comparable arrangement.
- Service Provider means an entity that processes information on behalf of a business for a business purpose under a written contract that restricts the use of that information, consistent with the meaning under California law.
- Process or Processing means any operation performed on information, including collection, recording, storage, use, analysis, disclosure, transmission, and deletion.
- Client Data means data within a client environment that we access, store, transmit, or back up while delivering services, including the client’s files, email, configurations, telephony records, and backups.
- Website means the website operated by AJ IT Consulting at https://ajitconsulting.net, including its subdomains and associated pages.
- Services means the managed information technology, cybersecurity, voice, cloud, web, and support services described in Section 5 and elsewhere in this Policy.
5. Information We Collect
AJ IT Consulting collects information that is necessary to operate our business, respond to inquiries, deliver and support our services, secure the environments we manage, and meet our legal and contractual obligations. The categories below describe the information we may collect. The specific information collected about any individual or organization depends on the nature of their relationship with us and the services involved.
5.1 Personal and Contact Information
We collect identifying and contact details that allow us to communicate with you and provide services. This may include your name, job title, employer or organization, business mailing address, business email address, business telephone and mobile numbers, and the contents of messages you send to us. When you become a client contact, we may also retain records of your role, your authorization level within your organization, and your preferences for how we reach you.
5.2 Business and Account Information
For organizations that engage us, we collect business information such as company name, business structure, primary and secondary points of contact, service locations, account numbers, contract terms, licensing entitlements, and the history of services we have provided. This information supports billing, account management, vendor coordination, and service delivery.
5.3 Billing, Payment, and Financial Information
We collect billing information needed to invoice clients and process payments, which may include billing contacts, billing addresses, purchase orders, tax identification details supplied by the client, and records of payments and outstanding balances. Card and bank account details used to make payment are generally collected and processed by our payment processors rather than stored by us. We retain transaction records and invoices as required for accounting, tax, and audit purposes.
5.4 Technical, Device, and Usage Information
When you visit our website or interact with systems we operate, we automatically collect technical information that web servers and security tools generate as a matter of course. This may include your internet protocol (IP) address, approximate location derived from that address, browser type and version, operating system, device type and identifiers, screen and viewport characteristics, referring and exit pages, the pages and resources you view, the dates and times of access, and session information that links a sequence of requests from the same visitor. We collect this information through cookies, server logs, website analytics, and similar technologies described in Section 9.
5.5 Support, Help Desk, and Remote Support Information
When you contact our help desk or open a service ticket, we collect the information you provide in that request, including descriptions of the issue, screenshots, attachments, affected systems, and the communications exchanged while we work the ticket. During remote support sessions, our tools generate records that may include the date and time of the session, the technician involved, the device accessed, the actions taken, and session logs. We use this information to diagnose and resolve issues, document our work, and improve service quality. Remote support practices are described further in Section 11.
5.6 Security, Authentication, and Log Information
In the course of monitoring and securing the environments we manage, our systems collect and retain security-relevant records. These include authentication logs and sign-in events, security logs and alerts, firewall logs, intrusion and threat detection events, endpoint telemetry, and network activity records. This information is essential to detect, investigate, and respond to security incidents and to maintain the integrity of managed systems. Cybersecurity practices are described further in Section 15.
5.7 Managed Environment and Configuration Information
To administer client environments, we collect and maintain technical information about the systems under management. This includes endpoint information, network information and topology, device and asset inventory, configuration information, licensing information, network diagrams, and documentation describing how a client environment is built and operated. Where we administer cloud and productivity platforms, we may collect tenant and administrative information from services such as Microsoft 365, Microsoft Azure, and Google Workspace, limited to what is necessary to perform contracted administration. We may also collect backup information that records what was backed up, when, and whether recovery operations succeeded.
5.8 Voice and Communications Information
When we provide or administer business phone services, we may collect or process voice and communications information such as caller and called numbers, call logs, call routing and caller identification data, voicemail, short message service (SMS) records where applicable, and call recordings where a client has enabled recording and recording is permitted by law. The handling of this information is described further in Section 12.
5.9 Website Development and Hosting Information
When we design, develop, host, or support a website, we may collect or process information related to that website, including domain and DNS records, hosting account details, content management system data, form submissions captured by the site, and analytics generated by the site. Website development practices are described further in Section 13.
5.10 Client Documentation and Project Records
We maintain client documentation and project documentation that records the scope, design, and delivery of our services. This may include statements of work, project plans, runbooks, standard operating procedures, change records, and as-built documentation. This material frequently contains technical configuration details and is treated as confidential.
5.11 Marketing and Communication Preferences
We collect marketing preferences, communication preferences, email preferences, and SMS preferences that tell us how, and whether, you wish to receive newsletters, service announcements, and promotional messages. We honor these preferences as described in Section 21 and provide a means to update or withdraw them at any time.
We do not knowingly collect more information than is reasonably necessary for the purposes described in this Policy. Where we no longer need information, we dispose of it in accordance with Section 18.
6. How Information Is Collected
We collect information through several channels, depending on how you interact with us and the services we provide:
- Website forms when you complete a contact form, request a quote, schedule a consultation, or submit a question through our website.
- Telephone when you call us, leave a voicemail, or speak with our staff, including notes we record about the conversation.
- Email when you correspond with our sales, support, billing, or administrative teams.
- Support portal and service tickets when you open, update, or respond to tickets through our help desk or support portal.
- Remote support sessions when our technicians connect to your devices with authorization to diagnose and resolve issues.
- Cookies and analytics when your browser interacts with our website and the tracking technologies described in Section 9.
- Client onboarding when we gather the account, technical, and contact details needed to begin delivering services.
- Vendor and platform integrations when systems we use to deliver services exchange information necessary to provision, monitor, and support your environment.
- Social media when you interact with our pages or content on third-party social platforms, subject to those platforms’ own privacy practices.
- Third-party referrals and business partners when a partner or existing contact refers you to us or shares your information with your knowledge.
- Live chat when you use a chat feature on our website to ask questions or request assistance.
- Website downloads and newsletter subscriptions when you download a resource, subscribe to updates, or register for an event.
- Marketing campaigns when you respond to an email, advertisement, or other campaign and provide information in doing so.
Some information is provided directly by you. Some is generated automatically by our systems when you use our website or when we deliver services. Some is received from clients, referral sources, and the vendors and platforms we use to operate. We combine these sources only as needed to fulfill the purposes described in this Policy.
7. How We Use Information
AJ IT Consulting uses the information it collects for legitimate business and commercial purposes connected to operating our company and serving our clients. These purposes include:
- Providing, configuring, maintaining, and supporting our managed IT, cloud, voice, web, and security services.
- Delivering technical support and resolving service tickets, including remote and onsite support.
- Administering Microsoft 365, Microsoft Azure, Google Workspace, and other platforms we are engaged to manage.
- Monitoring networks, endpoints, and security events to detect, investigate, and respond to threats and incidents.
- Operating business phone and VoIP services, including call routing, voicemail, and messaging where contracted.
- Developing, hosting, and maintaining websites, domains, DNS, and SSL certificates for clients.
- Performing backups, recovery testing, and disaster recovery operations.
- Billing clients, issuing invoices, processing payments, and managing licensing and renewals.
- Managing vendor and subcontractor relationships and coordinating procurement on behalf of clients.
- Communicating with you about your account, service status, maintenance, outages, and important notices.
- Preventing, detecting, and investigating fraud, abuse, security incidents, and unauthorized activity.
- Verifying identity and authorization before acting on requests that affect an account or environment.
- Meeting legal, regulatory, tax, accounting, and contractual obligations, and enforcing our agreements.
- Conducting marketing consistent with your preferences and applicable law, and measuring its effectiveness.
- Improving our services, training our staff, performing quality assurance, and analyzing business performance.
We use information only for purposes that are compatible with the reasons it was collected, or for which we have obtained consent or another lawful basis. We do not sell personal information, and we do not share personal information for cross-context behavioral advertising, as those terms are defined under California law. See Section 19 for the rights this provides to California residents.
When we handle client data while delivering managed services, our use is narrower still. We use that data to operate, support, and secure the services contracted, to improve and protect the systems involved, and to meet legal and contractual obligations. We do not mine client data for unrelated commercial purposes, and we do not use the contents of a client’s files, email, or communications to build profiles or to market to the client’s own customers. Aggregated and de-identified operational information may be used to monitor performance, plan capacity, and improve our services, provided it cannot reasonably be used to identify any individual.
8. Legal Bases for Processing
Although the comprehensive consent and legal basis framework most familiar from the European Union does not apply to most of our activities, we believe it is good practice to explain the grounds on which we process information. Depending on the activity, we rely on one or more of the following bases:
- Consent where you have given us permission to process information for a specific purpose, such as subscribing to marketing communications. You may withdraw consent at any time, which will not affect processing already carried out.
- Performance of a contract where processing is necessary to deliver the services you or your organization have engaged us to provide, or to take steps at your request before entering into an agreement.
- Legal obligations where processing is necessary to comply with applicable law, including tax, accounting, and lawful requests from authorities.
- Legitimate interests where processing is necessary for our legitimate business interests, such as operating and improving our services, provided those interests are not overridden by your rights and interests.
- Protection against fraud and abuse where processing supports the detection and prevention of fraud, abuse, and unauthorized access.
- Protection of networks and systems where processing is necessary to maintain the security, availability, and integrity of the networks and systems we operate and manage.
- Security monitoring where processing supports the continuous monitoring required to keep managed environments secure.
9. Cookies and Tracking Technologies
Our website uses cookies and similar tracking technologies to operate the site, remember your preferences, understand how the site is used, and protect against abuse. A cookie is a small text file placed on your device by a website. Related technologies include web beacons, pixels, and tag managers, which help measure activity and manage how scripts load on a page.
We use the following categories of cookies and technologies:
- Essential cookies that are necessary for the website to function, such as those that enable navigation, security, and access to secure areas. The site cannot operate properly without these.
- Security cookies that help detect malicious activity, prevent fraudulent use, and protect both visitors and our systems.
- Functional cookies that remember choices you make, such as language or region, to provide a more personalized experience.
- Preference cookies that store settings so the site behaves the way you expect on return visits.
- Performance and analytics cookies that collect aggregated information about how visitors use the site so we can measure and improve performance.
- Session cookies that exist only during a single browsing session and are deleted when you close your browser.
- Persistent cookies that remain on your device for a set period or until you delete them, so the site can recognize you on future visits.
We may also use web beacons and pixels, which are small graphic files or code snippets that allow us to understand whether content or email has been viewed, and tag managers, which help us deploy and manage these technologies in an organized way.
9.1 Managing Cookies
Most browsers allow you to refuse or delete cookies through their settings. You can usually configure your browser to notify you when a cookie is set, to block third-party cookies, or to clear cookies when you close the browser. If you disable certain cookies, some features of the website may not function as intended. Where required by law, we present a cookie notice or consent mechanism that lets you accept or decline non-essential cookies. Your choices are stored and honored for subsequent visits from the same browser, subject to your continued use of that browser and device.
10. Third-Party Service Providers
AJ IT Consulting relies on reputable technology platforms and service providers to operate our business and deliver services. We describe these by category rather than committing to specific named vendors indefinitely, because the providers we use may change as technology and client needs evolve. The categories include:
- Cloud hosting and infrastructure providers that host applications, data, and workloads.
- Microsoft platforms, including Microsoft 365 and Microsoft Azure, used for productivity, identity, and cloud services.
- Voice and VoIP providers and carriers that deliver business telephone services.
- Payment processors that handle invoicing and the secure processing of payments.
- Email and email security providers that deliver and protect electronic mail.
- Website hosting providers and content delivery networks.
- Backup and disaster recovery providers that store and protect backup data.
- Security providers, including endpoint protection, firewall, threat detection, and monitoring vendors.
- Analytics and marketing platforms that help us understand and reach our audience.
- Customer relationship management (CRM) systems that organize contacts and engagements.
- Help desk and ticketing platforms used to manage support requests.
- Remote monitoring and management (RMM) and remote access tools used to administer and support systems.
- Domain registrars and SSL certificate providers.
- Accounting and bookkeeping providers used for financial administration.
Representative platforms we may use include, but are not limited to, Microsoft and Microsoft 365, Microsoft Azure, Google Workspace, Cisco Meraki, SonicWall, Sophos, Ubiquiti UniFi, Wazuh, Proxmox, Datto, RingCentral, Cloudflare, domain registrars, SSL certificate authorities, payment processors, cloud backup providers, and email security providers. Reference to any platform in this Policy is for transparency only. It does not imply endorsement of, or any guarantee or warranty regarding, that platform, and the availability or selection of any particular vendor may change over time.
When we engage a service provider to process personal information on our behalf, we seek to use providers that maintain appropriate security measures, and we limit their use of information to the purposes for which we engage them, consistent with applicable law.
11. Managed IT Services
Delivering managed IT services requires access to client systems. Our technicians access client systems only as necessary to provide the services a client has contracted for, and only with the authorization the client has granted. We follow the principle of least privilege, meaning our personnel are granted the minimum access required to perform a task, and access is monitored and logged.
Depending on the services contracted, our authorized personnel and tools may access and administer:
- Servers, including physical, virtual, and cloud-hosted servers.
- Workstations, laptops, and other end-user devices.
- Firewalls, switches, routers, and wireless access points.
- Microsoft 365, Microsoft Azure, and Google Workspace tenants and administrative consoles.
- Active Directory, identity services, and directory information.
- Remote desktop and remote access sessions established with authorization.
- Cloud environments, virtual machines, and hosted platforms.
- Virtual private networks (VPNs) and secure remote access systems.
- Storage systems, file shares, and network-attached storage.
- Network devices, printers, and peripherals connected to managed networks.
- Mobile device management platforms and the device records they contain.
When we access a client environment, we may view, store, or transmit data within that environment as a necessary part of administration, monitoring, and support. We treat that data as confidential client data. We do not use client data for our own purposes beyond delivering the contracted services, improving and securing those services, and meeting our legal obligations. The client remains the owner of its data, as described in Section 14 and in the applicable services agreement.
Clients are responsible for designating who is authorized to request changes, for maintaining the accuracy of their authorized contact lists, and for promptly notifying us when an authorized contact should be added or removed. We rely on these designations to protect client environments against unauthorized changes.
Remote support is a core part of how we deliver services efficiently. When a remote session is required, it is initiated with the client’s authorization, whether through standing consent in the services agreement or through a specific request to address an issue. During a remote session, a technician may view the screen, control the device, transfer files needed for the work, and run diagnostic and administrative tools. Our remote support tools generate session records that document who connected, when, to which device, and what was done. We retain these records to maintain an audit trail, support quality assurance, and resolve disputes. We do not access client devices outside the scope of authorized support, and we instruct our personnel to limit their activity to the task at hand.
12. Business Phone Services
When we provide or administer business phone services, including VoIP, we process information necessary to deliver telephone and messaging functionality. This may include:
- Call routing information used to direct inbound and outbound calls.
- Caller identification data presented or received on calls.
- Voicemail messages stored on behalf of the client.
- Short message service (SMS) and messaging records, where messaging is provisioned.
- Call detail records and call logs reflecting the date, time, duration, and parties to calls.
- Carrier integration information exchanged with telephone carriers to complete calls.
Call recording is available on some phone systems. Where a client enables call recording, the client is responsible for configuring recording in compliance with applicable law, including any requirement to notify or obtain consent from call participants. California is a two-party consent state for the recording of confidential communications. Clients that record calls are responsible for meeting these legal requirements, and we will assist with technical configuration where contracted to do so.
Emergency services present specific considerations for VoIP. The ability to reach emergency services and to convey accurate location information depends on correct configuration, accurate registered address information, and network and power availability. Clients are responsible for maintaining accurate registered location information for each device and for understanding the limitations of VoIP during power or internet outages. We will provide configuration guidance, but we do not guarantee the availability of emergency calling under all conditions.
13. Website Development Services
When we design, develop, host, or support websites for clients, we process information related to those websites. Depending on the engagement, this may include:
- Hosting account details and server configuration for the websites we host.
- Content management system (CMS) data, including site content, user accounts, and administrative settings.
- Domain registration records and DNS configuration.
- SSL certificate provisioning and renewal information.
- Website analytics that measure traffic and usage.
- Contact form submissions and other data captured by the website.
- Embedded content and third-party plugins integrated into the website.
- Website security configuration, monitoring, and protective measures.
A website we build or host for a client may collect personal information from that client’s own visitors. In that arrangement, the client is the operator of the website and is responsible for its own privacy policy, consent banners, and lawful basis for collecting information from its visitors. AJ IT Consulting acts as a service provider for the hosting, development, and security functions we are contracted to perform. We do not control the content a client publishes, the third-party plugins a client requests, or the way a client uses information collected through its own website.
Third-party plugins, embedded content, and external scripts incorporated into a website may transmit information to their providers. We will advise clients of known considerations when we are responsible for selecting components, but clients are responsible for the privacy implications of components they direct us to install.
14. Backup and Disaster Recovery
Backup and disaster recovery are central to the resilience of the environments we manage. Our practices in this area reflect the following principles:
- Client ownership of backup data. Backup data belongs to the client. We store and protect it as a service provider and return or dispose of it in accordance with the services agreement upon termination.
- Encryption. We apply encryption to backup data in transit and at rest where our tools and the contracted service support it, to protect against unauthorized access.
- Recovery testing. Where contracted, we perform periodic recovery testing to validate that backups can be restored. No backup or recovery process can guarantee complete or error-free restoration in every circumstance.
- Retention. Backups are retained according to the retention schedule agreed with the client, balancing recovery needs against storage limits and legal requirements.
- Restoration. We perform restorations at client request or as needed to recover from data loss, and we log restoration activity.
- Cloud and local backups. Depending on the design, backups may be stored locally, in the cloud, or both, to support different recovery objectives.
- Disaster recovery and business continuity planning. Where contracted, we help clients plan for continuity of operations and recovery from disruptive events, including documented recovery objectives and procedures.
Clients are responsible for identifying the systems and data that must be protected, for confirming that the agreed backup scope meets their needs, and for notifying us of new systems that should be added to backup coverage. We are responsible for operating the backup service as contracted and for promptly investigating backup failures of which we become aware.
15. Cybersecurity Services
Cybersecurity services involve the collection and analysis of security-relevant information so that threats can be detected and addressed. Depending on the services contracted, our cybersecurity work may include:
- Threat monitoring across endpoints, networks, identities, and cloud services.
- Log collection and correlation from devices, applications, and security tools.
- Firewall monitoring and management, including review of firewall logs and alerts.
- Endpoint monitoring through endpoint detection and protection tools.
- Incident response, including investigation, containment, eradication, and recovery.
- Security assessments and reviews of configuration and posture.
- Vulnerability scanning to identify weaknesses that should be remediated.
- Malware detection and removal.
- Security alerting and notification to designated client contacts.
Security monitoring necessarily involves the collection of information about activity within a managed environment, including authentication events, network connections, and the behavior of users and systems. We collect and use this information for the purpose of protecting the environment and responding to threats. We retain security logs for periods appropriate to detection, investigation, and applicable obligations, as described in Section 18.
No security program can eliminate all risk. The threat landscape evolves continuously, and determined attackers may defeat even strong defenses. We apply reasonable, industry-aligned measures appropriate to the services contracted, but we do not and cannot guarantee that a managed environment will never experience a security incident. Effective security also depends on client cooperation, including timely patching decisions, user awareness, and adherence to recommended practices. Where a client declines a recommended safeguard, the associated risk remains with the client.
16. Information Sharing
AJ IT Consulting does not sell personal information. We share information only as needed to operate our business, deliver services, and meet legal obligations. The circumstances in which we may share information include:
- Service providers and subprocessors, who perform functions on our behalf, such as hosting, payment processing, security, backup, and support tooling, under contracts that restrict their use of the information.
- Business partners, where a partner is involved in delivering a service you have requested, and only to the extent necessary for that purpose.
- Client consent and direction, where a client instructs us to share information with a designated party, such as another vendor working in the client environment.
- Legal requests and court orders, where we are required to disclose information in response to a subpoena, court order, or other valid legal process.
- Law enforcement and government authorities, where disclosure is necessary to comply with law or to protect rights, safety, and property.
- Emergency situations, where disclosure is necessary to protect the vital interests, safety, or security of an individual or the public.
- Business transfers, where, in connection with a merger, acquisition, financing, reorganization, or sale of assets, information may be transferred as part of the transaction, subject to the receiving party honoring this Policy or providing comparable protection.
When we share information, we share only what is reasonably necessary for the relevant purpose. We do not authorize service providers to use personal information for their own independent purposes.
17. Data Security
AJ IT Consulting maintains a security program designed to protect information against unauthorized access, use, alteration, disclosure, and loss. Our safeguards include administrative, technical, and physical measures appropriate to the nature of the information and the services we provide:
- Administrative safeguards, including security policies, role definitions, access reviews, onboarding and offboarding procedures, and incident response planning.
- Technical safeguards, including network protections, endpoint protection, monitoring, logging, and secure configuration.
- Encryption, applied to data in transit and, where supported, at rest, to reduce the risk of unauthorized access.
- Access controls and least privilege, so that personnel and systems receive only the access required to perform their roles.
- Multi-factor authentication, required for access to sensitive systems where supported.
- Secure backups, protected and retained as described in Section 14.
- Employee training, to maintain awareness of security and privacy responsibilities.
- Vendor risk management, to evaluate the security practices of the providers we rely on.
- Physical safeguards, to protect facilities, equipment, and media against unauthorized physical access.
Despite these measures, no method of transmission over the internet and no method of electronic storage is completely secure. We cannot guarantee absolute security. You are responsible for protecting your own credentials, for using strong and unique passwords, for enabling available security features, and for promptly notifying us if you believe your account or environment has been compromised.
17.1 Client Responsibilities
Security and privacy are shared responsibilities. While AJ IT Consulting operates and protects the services it is contracted to provide, the security of a client environment also depends on actions within the client’s control. Clients are responsible for the following:
- Maintaining accurate lists of personnel authorized to request changes or access information.
- Safeguarding account credentials and ensuring that users do not share passwords or accounts.
- Enabling and maintaining recommended security controls, including multi-factor authentication, where available.
- Applying or approving security updates and patches in a timely manner, or accepting the risk of deferring them.
- Providing accurate information for service delivery, including registered locations for voice services.
- Ensuring that their own collection and use of personal information, including data collected through hosted websites and recorded calls, complies with applicable law.
- Promptly reporting suspected security incidents, lost devices, or compromised accounts.
Where a client declines a recommended safeguard or fails to meet these responsibilities, the resulting risk remains with the client, and AJ IT Consulting is not responsible for harm that a declined or omitted safeguard would have prevented.
18. Data Retention
We retain information for as long as necessary to fulfill the purposes for which it was collected, to provide and support our services, and to meet our legal, contractual, and operational obligations. The period we retain information depends on the type of information and the relevant purpose, and is informed by:
- Business need, retaining account, service, and configuration information for the duration of the relationship and as needed to support ongoing services.
- Legal obligations, retaining records as required by applicable law, including limitation periods for potential claims.
- Security, retaining security and audit logs for periods appropriate to detection, investigation, and response.
- Tax and accounting records, retaining invoices, payment records, and related documentation for the periods required by tax and accounting rules.
- Contracts, retaining agreements and statements of work for the life of the contract and a reasonable period afterward.
- Support records, retaining ticket and support history to provide continuity of service and resolve recurring issues.
- Backups, retaining backup data according to the agreed backup retention schedule, after which it is rotated or deleted in the ordinary course.
When information is no longer needed for these purposes, we delete, de-identify, or otherwise dispose of it in a secure manner. Upon termination of services, we handle client data in accordance with the applicable services agreement, which governs the return and deletion of that data.
19. California Privacy Rights
This section applies to California residents and describes the rights provided under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (together, the “CCPA”). These rights apply to personal information that AJ IT Consulting collects as a business. Where we process personal information as a service provider on behalf of a client, requests to exercise these rights should generally be directed to the client that controls the information, and we will support our clients in responding to verified requests as required.
19.1 Your Rights
- Right to Know and Access. You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business or commercial purposes for collecting it, and the categories of third parties with whom we have shared it.
- Right to Delete. You have the right to request that we delete personal information we have collected from you, subject to exceptions that permit us to retain information for certain purposes, such as completing a transaction, providing a requested service, security, legal compliance, and internal uses reasonably aligned with your expectations.
- Right to Correct. You have the right to request that we correct inaccurate personal information we maintain about you, taking into account the nature of the information and the purposes of processing.
- Right to Data Portability. You have the right to receive a copy of certain personal information in a portable and, to the extent technically feasible, readily usable format.
- Right to Opt Out of Sale or Sharing. You have the right to opt out of the sale of personal information and the sharing of personal information for cross-context behavioral advertising. AJ IT Consulting does not sell personal information and does not share it for cross-context behavioral advertising.
- Right to Limit Use of Sensitive Personal Information. You have the right to limit the use and disclosure of sensitive personal information to those uses permitted under the CCPA. As described in Section 20, we use sensitive personal information only for permitted purposes.
- Right to Non-Discrimination. We will not discriminate against you for exercising any of your privacy rights. We will not deny services, charge different prices, or provide a different level of quality because you exercised your rights.
19.2 Authorized Agents
You may use an authorized agent to submit a request on your behalf. We may require the authorized agent to provide proof that you gave the agent signed permission to submit the request, and we may require you to verify your own identity directly with us or to confirm that you provided the agent with permission.
19.3 Verification Process
To protect your information, we must verify your identity before responding to a request to know, delete, or correct. Verification involves matching the information you provide in your request with the information we maintain. We may ask for additional information to verify your identity to a degree of certainty appropriate to the sensitivity of the request. We will not use information collected for verification for any purpose other than verification.
19.4 How to Submit a Request
California residents may submit privacy requests by emailing sales@ajitconsulting.net, by calling 949-998-9019, or by writing to AJ IT Consulting at 2102 Business Center Drive #130, Irvine, California 92612. Please include enough information for us to locate your records and to verify your identity, and describe your request with sufficient detail for us to evaluate and respond to it.
19.5 Response Timeframes
We will confirm receipt of a request within ten business days and will respond to a verifiable request within forty-five calendar days. If we need more time, we may extend the period by an additional forty-five days and will notify you of the extension and the reason for it. There is generally no charge to submit a request or to receive a response, though we may charge a reasonable fee or decline to act on requests that are manifestly unfounded or excessive, as permitted by law.
20. Sensitive Personal Information
Certain categories of personal information are treated as sensitive under California law. Sensitive personal information may include account log-in credentials in combination with any required access or security information, government-issued identifiers, precise geolocation, and the contents of certain communications where we are not the intended recipient. In the course of delivering managed services, we may handle credentials and access information necessary to administer client systems, and our voice and messaging services may involve communications content.
We use and disclose sensitive personal information only for purposes permitted under the CCPA, which include providing the services reasonably expected by an average consumer, ensuring security and integrity, detecting and responding to malicious or fraudulent activity, and performing services on behalf of the business. We do not use sensitive personal information to infer characteristics about you, and we do not use it for purposes beyond those permitted by law. Because our use is limited to permitted purposes, the right to limit described in Section 19 is satisfied by our existing practices.
We protect sensitive personal information with heightened care, including restricted access, encryption where supported, and monitoring. Clients are responsible for the lawful handling of credentials and access information within their own organizations and for promptly notifying us when access should be revoked.
21. Marketing Communications
AJ IT Consulting may send marketing and informational communications, including newsletters, service announcements, and promotional messages, by email and, where you have provided the necessary consent, by SMS. We send these communications consistent with your preferences and applicable law.
21.1 Email Marketing and CAN-SPAM
Our commercial email complies with the CAN-SPAM Act. We identify our messages, include our physical mailing address, avoid deceptive subject lines, and provide a clear way to unsubscribe. You may opt out of marketing email at any time by using the unsubscribe link in any marketing message or by contacting us at sales@ajitconsulting.net. We will honor opt-out requests promptly. Even if you opt out of marketing email, we may still send transactional and service-related messages necessary to administer your account and services.
21.2 SMS Messaging and TCPA
Where we send SMS messages, we do so consistent with the Telephone Consumer Protection Act and related rules. We send marketing text messages only to recipients who have provided the required prior consent, and we treat consent to receive texts as separate from any other agreement. Message and data rates may apply. You may opt out of text messages at any time by replying STOP to a message from us or by contacting us directly. We will not condition the purchase of services on your agreement to receive marketing text messages.
21.3 Managing Your Preferences
You may update your marketing, email, and SMS preferences at any time by contacting us. We maintain records of communication preferences so that we can honor your choices across our systems.
22. Children’s Privacy
Our website and services are directed to businesses and are not intended for children. We do not knowingly collect personal information from children under the age of thirteen, consistent with the Children’s Online Privacy Protection Act (COPPA). We do not knowingly collect personal information from minors under sixteen for the purpose of selling or sharing it, and we do not sell or share personal information in any event. If we learn that we have collected personal information from a child under thirteen without appropriate consent, we will take reasonable steps to delete that information. If you believe a child has provided us with personal information, please contact us at sales@ajitconsulting.net so that we can address the matter.
23. International Visitors
AJ IT Consulting is based in the United States, and our services are intended for clients in the United States. Our website may be accessible from outside the United States. If you access our website or communicate with us from a location outside the United States, you understand that your information will be transferred to, stored in, and processed in the United States, where data protection laws may differ from those of your country.
We do not market to or target individuals in the European Union, the United Kingdom, or other regions with comprehensive data protection regimes, and this Policy is not intended to satisfy the specific notice requirements of the General Data Protection Regulation or similar laws. If you are located in a region with such laws and you choose to use our website or contact us, you do so on your own initiative and are responsible for compliance with your local laws. By using our website or providing information to us from outside the United States, you consent to the transfer and processing of your information in the United States as described in this Policy.
24. Do Not Track Signals
Some browsers offer a “Do Not Track” (DNT) setting that sends a signal to websites requesting that the user’s activity not be tracked. There is currently no common industry or legal standard for recognizing or responding to DNT signals. Because no uniform standard exists, our website does not currently respond to DNT signals. We will continue to monitor developments in this area. Separately, where applicable law recognizes opt-out preference signals for the sale or sharing of personal information, we will honor such signals to the extent required; however, because we do not sell or share personal information as those terms are defined under California law, these signals do not change our practices.
25. Data Breach Response
AJ IT Consulting maintains procedures to respond to security incidents that may affect personal information. Our incident response approach is designed to identify, contain, investigate, and remediate incidents, and to notify affected parties and authorities where required by law.
In the event of a security incident, our response generally includes the following steps:
- Detection and triage, to identify the nature and scope of the incident.
- Containment, to limit the impact and prevent further unauthorized access.
- Investigation, to determine what occurred, what information was involved, and the cause.
- Eradication and recovery, to remove the threat and restore affected systems and data.
- Notification, to affected clients, individuals, and regulators where required by applicable law and contract.
- Review, to identify lessons learned and improve our defenses.
Where an incident affects a client environment that we manage, we coordinate with the client, who as the controller of its data is typically responsible for determining and providing legally required notifications to affected individuals and authorities. We will provide reasonable support to the client consistent with our agreement. We will notify affected parties as required by California law and other applicable breach notification requirements. We do not guarantee that any system can be made immune to security incidents, and our commitments in this area are those set out in the applicable services agreement and required by law.
26. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, our services, technology, or legal requirements. When we make changes, we will revise the “Last Revised” date at the top of this Policy and post the updated version on our website. If we make material changes, we will provide additional notice as appropriate, which may include a notice on our website or a direct communication to affected clients.
We encourage you to review this Policy periodically so that you remain informed about how we handle information. Your continued use of our website or services after an updated Policy takes effect constitutes your acknowledgment of the updated Policy. This Policy is provided for informational purposes, is subject to change without individual notice except where required by law, and does not create contractual rights beyond those set out in a signed services agreement.
27. Contact Information
If you have questions about this Privacy Policy, wish to exercise a privacy right, or want to raise a concern about how your information is handled, please contact us using the information below.
AJ IT Consulting
2102 Business Center Drive #130
Irvine, California 92612
Phone: 949-998-9019
Email: sales@ajitconsulting.net
Website: https://ajitconsulting.net
This Privacy Policy is provided for general informational purposes and reflects the practices of AJ IT Consulting as of the Effective Date. It is not legal advice. AJ IT Consulting reserves the right to update this Policy as described in Section 26.

