Privacy Policy

1. INTRODUCTION

1.1 About This Privacy Policy

This Privacy Policy describes how AVD Consulting AB, doing business as IT Sidekick (“IT Sidekick,” “we,” “us,” or “our”) collects, uses, discloses, and protects information when you:

• Visit our website (itsidekick.co)
• Use our IT support services
• Communicate with us via email, phone, or other channels
• Submit information through our Support Portal or booking system
• Participate in our security awareness training

This Privacy Policy applies to:

• Prospective Clients: Individuals and businesses considering our services
• Active Clients: Businesses and their Authorized Users receiving our services
• Website Visitors: Anyone browsing our website or content
• Former Clients: Businesses that previously used our services

1.2 Our Commitment to Privacy

IT Sidekick is committed to protecting your privacy and maintaining the confidentiality of your information. As an IT support provider for accounting firms, we understand the sensitivity of the data you handle and take our data protection responsibilities seriously.

Key Principles:

• We collect only the information necessary to provide our services
• We do not sell or rent your personal information to third parties
• We implement industry-standard security measures
• We provide transparency about our data practices
• We respect your rights regarding your personal information

1.3 Our Role as Service Provider

IMPORTANT DISTINCTION:

IT Sidekick provides technical IT support services and may have incidental access to data on client systems during service delivery. However:

• We are NOT a data custodian, controller, or processor of your client data
• We do NOT intentionally access, collect, or use your client data except as necessary to provide IT support
• Client retains full responsibility for their own data, compliance obligations, and data protection practices
• Our services are technical implementation only, not compliance consulting

For more information about our data handling practices in client relationships, see Section 11 (Business Client Data Handling).

1.4 Contact Information

If you have questions or concerns about this Privacy Policy or our data practices:

Privacy Contact:

• Email: privacy@itsidekick.co
• Response Time: Within 5 Business Days

Data Protection Officer:

• Individual: Jacob Lindqvist
• Entity: AVD Consulting AB
• Contact: privacy@itsidekick.co

Business Address: AVD Consulting AB dba IT Sidekick Sköndalsvägen 73 128 66 Stockholm, Sweden Organization Number: 559175-9138

Service Operations: Remote operations from Sweden, serving US-based clients

3. HOW WE USE YOUR INFORMATION

3.1 To Provide Our Services

For Prospective and Active Clients:

• Process service inquiries and trial requests
• Communicate about services, features, and updates
• Create and manage user accounts
• Process payments and billing
• Deliver IT support services
• Schedule and conduct troubleshooting sessions
• Monitor system health and security (if applicable to service plan)
• Generate service reports and analytics

For Support Delivery:

• Diagnose and resolve technical issues
• Remote access to systems for troubleshooting
• Install and configure monitoring software
• Implement security recommendations
• Provide security awareness training

3.2 To Improve Our Services

• Analyze usage patterns to enhance service quality
• Identify common issues and develop solutions
• Improve response times and efficiency
• Develop training materials and documentation
• Test new features and tools

3.3 For Business Operations

• Maintain and improve our website
• Conduct internal analytics and research
• Manage customer relationships
• Comply with legal obligations
• Prevent fraud and abuse
• Enforce our terms and policies

3.4 For Communication

Service-Related Communications (Cannot Opt Out):

• Service updates and maintenance notifications
• Response to support tickets and inquiries
• Account and billing information
• Important policy or legal updates
• Security alerts and incident notifications

Marketing Communications (Can Opt Out):

• Newsletter and blog updates
• New feature announcements
• Educational content and tips
• Special offers or promotions
• Industry insights

You can opt out of marketing communications by:

• Clicking “unsubscribe” in any marketing email
• Emailing optout@itsidekick.co
• Updating preferences in your account settings

3.5 For Legal and Security Purposes

• Comply with applicable laws and regulations
• Respond to legal requests (subpoenas, court orders)
• Protect our rights, property, and safety
• Protect clients’ rights, property, and safety
• Investigate and prevent fraud, security breaches, or illegal activity
• Enforce our Master Services Agreement and other policies

---

4. HOW WE SHARE YOUR INFORMATION

4.1 We Do NOT Sell Your Information

IT Sidekick does NOT sell, rent, or trade your personal information to third parties for their marketing purposes.

4.2 Service Providers and Vendors

We share information with trusted third-party service providers who assist in our operations:

Infrastructure and Tools:

• Microsoft 365: Email, document storage, communication tools (privacy policy: microsoft.com/privacy)
• Remote Monitoring & Management (RMM): System monitoring and remote access tools (e.g., NinjaOne, Atera)
• Ticketing System: Support ticket management (e.g., Freshdesk, HubSpot)
• Payment Processing: Stripe for credit card and ACH processing (privacy policy: stripe.com/privacy)

Website and Marketing:

• Web Hosting: Website hosting and content delivery
• Analytics: Google Analytics for website usage analysis (see Section 5.3)
• Email Service: Email marketing platform (if applicable)

Business Services:

• Accounting Software: For invoicing and financial management
• Legal and Professional Services: Attorneys, accountants, consultants (as needed)

Vendor Requirements:

• All vendors must maintain appropriate security measures
• Vendors are contractually prohibited from using data for their own purposes
• Vendors must comply with applicable privacy laws
• We conduct due diligence on vendor security practices

4.3 Business Transfers

If IT Sidekick is involved in a merger, acquisition, sale of assets, or bankruptcy:

• Your information may be transferred to the successor entity
• You will be notified via email and/or website notice
• This Privacy Policy will continue to apply unless you receive notice of changes
• You will have opportunity to opt out or delete your account

4.4 Legal Requirements and Protection

We may disclose information when required by law or when we believe disclosure is necessary to:

Legal Obligations:

• Comply with subpoenas, court orders, or legal processes
• Respond to government requests or investigations
• Meet regulatory reporting requirements

Safety and Security:

• Protect against fraud, abuse, or illegal activity
• Enforce our terms of service and policies
• Protect our rights, property, and safety
• Protect the rights, property, and safety of clients or third parties
• Respond to emergency situations involving danger to any person

Notice When Possible: We will notify affected individuals of legal requests for information unless:

• Prohibited by law or court order
• Notice could obstruct investigation
• Emergency circumstances exist

4.5 With Your Consent

We may share information with third parties when you explicitly consent, such as:

• Authorizing us to contact third-party vendors on your behalf
• Requesting we share information with your other service providers
• Participating in case studies or testimonials (with explicit permission)
• Referral programs or partner integrations

4.6 Aggregated and De-identified Information

We may share aggregated, de-identified, or anonymized information that cannot reasonably be used to identify you:

• Industry benchmarking and statistics
• Research and analysis
• Public reports or presentations
• Service improvement insights

Example: “Our clients experience an average of 4.2 support tickets per month” (no identifying information)

---

5. COOKIES AND TRACKING TECHNOLOGIES

5.1 What Are Cookies

Cookies are small text files stored on your device when you visit websites. They help websites remember your preferences and provide a better user experience.

5.2 How We Use Cookies

Essential Cookies (Cannot Be Disabled):

• Session Management: Keep you logged in to Support Portal
• Security: Prevent fraud and secure your account
• Functionality: Remember your preferences and settings

Analytics Cookies (Can Be Disabled):

• Usage Statistics: Understand how visitors use our website
• Performance Monitoring: Identify technical issues
• Content Optimization: Determine which content is most valuable

Marketing Cookies (Can Be Disabled):

• Ad Tracking: Measure effectiveness of advertising campaigns
• Remarketing: Show relevant ads to website visitors
• Conversion Tracking: Understand which marketing efforts lead to inquiries

5.3 Third-Party Cookies

Google Analytics:

• Collects anonymous usage data
• Provides insights into website traffic and behavior
• You can opt out: tools.google.com/dlpage/gaoptout

LinkedIn Insight Tag:

• Tracks conversions from LinkedIn advertising
• Enables remarketing to website visitors
• You can opt out via LinkedIn privacy settings

5.4 Managing Cookie Preferences

Browser Controls: Most browsers allow you to:

• Block all cookies
• Block third-party cookies only
• Delete cookies after browsing
• Receive alerts when cookies are set

Browser-Specific Instructions:

• Chrome: chrome://settings/content/cookies
• Firefox: support.mozilla.org/cookies
• Safari: support.apple.com/guide/safari/manage-cookies
• Edge: support.microsoft.com/microsoft-edge/cookies

Note: Disabling essential cookies may prevent you from using certain features of our website and Support Portal.

5.5 Do Not Track Signals

Some browsers offer “Do Not Track” (DNT) signals. Currently, there is no industry consensus on responding to DNT signals. Our website does not respond to DNT signals, but you can control cookies as described above.

---

6. HOW WE PROTECT YOUR INFORMATION

6.1 Security Measures

IT Sidekick implements industry-standard security measures to protect your information:

Technical Safeguards:

• Encryption: Data encrypted in transit (TLS 1.2+) and at rest where applicable
• Access Controls: Role-based access controls, principle of least privilege
• Multi-Factor Authentication (MFA): Required for all Provider staff accounts
• Firewalls: Network and application-level firewalls
• Antivirus/Anti-Malware: Real-time protection on all Provider systems
• Regular Updates: Timely security patches and software updates
• Monitoring: 24/7 security monitoring and intrusion detection

Administrative Safeguards:

• Background Checks: Criminal background checks for all staff with data access
• Confidentiality Agreements: All staff sign confidentiality and data protection agreements
• Security Training: Regular security awareness training for all staff
• Incident Response Plan: Documented procedures for security incidents
• Vendor Management: Due diligence and contracts with all third-party vendors

Physical Safeguards:

• Remote-First: No physical office reduces physical security risks
• Device Security: Encrypted hard drives, strong passwords, automatic screen locks
• Secure Disposal: Secure wiping of devices before disposal or repurposing

6.2 Data Retention

Active Client Data:

• Retained for duration of service relationship
• Necessary for service delivery and legal obligations

Former Client Data:

• Support ticket history: Retained for 3 years after termination
• Payment records: Retained for 7 years (tax and legal requirements)
• System monitoring data: Deleted within 90 days of termination
• RMM software: Removed from client systems upon termination

Website and Marketing Data:

• Website analytics: Aggregated data retained indefinitely
• Marketing contacts: Retained until opt-out or 3 years of inactivity
• Communications: Retained for 3 years or as required by legal obligation

Legal and Compliance:

• Information retained longer if required by law, regulation, or legal hold
• Deletion requests honored subject to legal retention requirements

6.3 Data Security Limitations

No Guarantee of Absolute Security:

Despite our security measures, no system is completely secure. We cannot guarantee:

• Prevention of all unauthorized access
• Complete protection against cyber attacks
• Zero data breaches or security incidents

Your Responsibilities:

You play a critical role in security:

• Strong Passwords: Use unique, complex passwords for your accounts
• MFA: Enable multi-factor authentication where available
• Device Security: Keep your devices secure and updated
• Phishing Awareness: Be cautious of suspicious emails or links
• Prompt Reporting: Report suspected security issues immediately

In Event of Breach:

If we experience a data breach affecting your information:

1. We will notify you within 72 hours of discovery (in compliance with GDPR requirements)
2. We will explain what information was affected
3. We will describe steps we’re taking to respond
4. We will provide recommendations for protecting yourself
5. We will cooperate with regulatory requirements

---

7. YOUR PRIVACY RIGHTS

7.1 Rights for All Users

Access: You can request a copy of the personal information we hold about you

Correction: You can request correction of inaccurate or incomplete information

Deletion: You can request deletion of your information (subject to legal retention requirements)

Portability: You can request your information in a machine-readable format

Opt-Out: You can opt out of marketing communications at any time

Objection: You can object to certain processing of your information

7.2 California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

Right to Know:

• Categories of personal information collected
• Sources of personal information
• Business or commercial purposes for collecting information
• Categories of third parties with whom we share information

Right to Delete:

• Request deletion of personal information we collected from you
• Subject to exceptions (legal obligations, service delivery, security)

Right to Opt-Out of Sale:

• We do NOT sell personal information
• If we ever do, you have right to opt out

Right to Non-Discrimination:

• We will not discriminate against you for exercising CCPA rights
• Same service quality regardless of privacy choices

Right to Limit Use of Sensitive Personal Information:

• We collect minimal sensitive information
• Used only for service delivery purposes

California “Shine the Light” Law:

• Request information about sharing personal information with third parties for direct marketing
• We do not share personal information for third-party direct marketing

7.3 European Privacy Rights (GDPR)

If you are in the European Economic Area (EEA), UK, or Switzerland, you have rights under the General Data Protection Regulation (GDPR):

Legal Basis for Processing:

• Contract Performance: Providing services you requested
• Legitimate Interests: Business operations, security, fraud prevention
• Consent: Marketing communications, cookies (where required)
• Legal Obligation: Compliance with laws and regulations

Your GDPR Rights:

• Access: Obtain copy of your personal data
• Rectification: Correct inaccurate data
• Erasure: Request deletion (“right to be forgotten”)
• Restriction: Limit processing in certain circumstances
• Portability: Receive data in machine-readable format
• Objection: Object to processing based on legitimate interests
• Withdraw Consent: Withdraw consent where processing is consent-based
• Automated Decision-Making: We do not use automated decision-making or profiling

Data Transfers:

• IT Sidekick operates from Sweden (within EEA)
• Some vendors may be located outside EEA (with appropriate safeguards)
• We use Standard Contractual Clauses (SCCs) where applicable

Supervisory Authority:

• You have right to lodge complaint with data protection authority
• Sweden: Integritetsskyddsmyndigheten (IMY) – www.imy.se
• Your local authority: edpb.europa.eu/about-edpb/about-edpb/members_en

7.4 Other Jurisdictions

Canada (PIPEDA): Canadian residents have rights similar to GDPR, including access, correction, and complaint to Privacy Commissioner of Canada

Other US States: Residents of Virginia, Colorado, Connecticut, Utah, and other states with privacy laws have similar rights to CCPA

International Users: If you are located outside the US, Sweden, or EEA, you may have privacy rights under your local laws

7.5 How to Exercise Your Rights

Submit Privacy Request:

Email: privacy@itsidekick.co

Include in Request:

• Your full name and contact information
• Specific right you wish to exercise
• Description of information requested (if applicable)
• Relationship to IT Sidekick (client, website visitor, etc.)

Verification Process: To protect your privacy, we will verify your identity before processing requests:

• Email address verification
• Account authentication (if you have account)
• Additional information if needed to prevent fraud

Response Timeline:

• Initial acknowledgment: Within 5 Business Days
• Complete response: Within 30 days (may extend to 45 days for complex requests)
• We will explain any delays or reasons for denial

No Fee: We do not charge fees for privacy requests unless:

• Request is manifestly unfounded or excessive
• You request multiple copies of same information

Authorized Agents: California residents may use authorized agents to submit requests:

• Provide written authorization from consumer
• Verify consumer’s identity
• Verify agent’s authority

---

8. CHILDREN’S PRIVACY

8.1 Services Not Directed to Children

IT Sidekick’s services are designed for business use and are not directed to children under 13 years of age (or 16 in some jurisdictions).

We Do NOT:

• Knowingly collect information from children under 13
• Market services to children
• Allow children to create accounts
• Provide services designed for children

8.2 Parental Notice

If you are a parent or guardian and believe your child has provided personal information to us:

• Email: privacy@itsidekick.co
• Subject: “Child Privacy Concern”
• We will promptly investigate and delete the information

8.3 Business Client Responsibility

Business clients are responsible for:

• Ensuring only adults use our services
• Not providing children access to business accounts
• Supervising any minors in their workplace
• Compliance with child privacy laws in their jurisdiction

---

9. INTERNATIONAL DATA TRANSFERS

9.1 Cross-Border Data Transfers

Our Operating Model:

• IT Sidekick operates from Sweden (within European Economic Area)
• Services are provided to clients primarily in the United States
• Some vendors and service providers may be located in other countries

This means:

• Personal information may be transferred from US to Sweden (and vice versa)
• Personal information may be transferred to other countries where vendors operate
• Different countries have different privacy laws and protections

9.2 Safeguards for International Transfers

For EEA to US Transfers:

• IT Sidekick complies with GDPR requirements
• We use appropriate safeguards such as:
  • Standard Contractual Clauses (SCCs)
  • Vendor agreements with data protection terms
  • Assessment of data protection laws in receiving countries

For US to EEA Transfers:

• GDPR provides framework for protecting European data
• IT Sidekick operates under Swedish data protection law
• Integritetsskyddsmyndigheten (IMY) is supervisory authority

Vendor Transfers:

• We conduct due diligence on vendor data protection practices
• Contracts include data protection and security requirements
• Major vendors (Microsoft, Stripe) have robust international data transfer mechanisms

9.3 Your Consent to Transfers

By using our services, you consent to:

• Transfer of your information to Sweden
• Transfer of your information to United States (if you’re in EEA)
• Transfer of your information to vendor locations worldwide
• Processing under this Privacy Policy and applicable laws

If you do not consent to these transfers, please do not use our services.

---

10. CHANGES TO THIS PRIVACY POLICY

10.1 Right to Modify

IT Sidekick reserves the right to modify this Privacy Policy at any time to reflect:

• Changes in our services or operations
• Changes in applicable laws or regulations
• New privacy or security practices
• Feedback from clients or privacy authorities
• Best practice developments

10.2 Notice of Changes

Material Changes: If we make material changes that significantly affect your privacy:

• We will email active clients at least 30 days before effective date
• We will post prominent notice on our website
• We will update “Last Updated” date at top of this policy

Non-Material Changes: For minor updates, clarifications, or administrative changes:

• We will update “Last Updated” date
• Changes effective immediately upon posting
• Continued use constitutes acceptance

10.3 Your Options After Changes

If you disagree with changes to this Privacy Policy:

• Active Clients: You may terminate your service agreement per MSA terms (30-day notice)
• Website Visitors: You may stop using our website
• Marketing Contacts: You may unsubscribe from communications

10.4 Version History

Current version: 1.0 (November 2025)

• Initial Privacy Policy

View Previous Versions: Contact privacy@itsidekick.co to request previous versions

---

11. BUSINESS CLIENT DATA HANDLING

11.1 Our Limited Role

CRITICAL UNDERSTANDING:

When providing IT support services to business clients (accounting firms), IT Sidekick:

✓ WE ARE:

• Technical service provider with incidental access to client systems
• Service provider under Master Services Agreement
• Technical implementer of security measures

✗ WE ARE NOT:

• Data custodian of client’s business data
• Data controller or processor under privacy laws
• Responsible for client’s compliance obligations
• Compliance consultant or advisor
• Authorized to make decisions about client data

11.2 Incidental Access vs. Intentional Collection

What “Incidental Access” Means:

During IT support delivery, we may see data on client systems, including:

• Open files or applications during screen sharing
• Filenames or folder structures while troubleshooting
• Network traffic or system logs during diagnostics
• Email subject lines or senders while fixing email issues

However:

• We do NOT intentionally access, read, collect, or use this data
• We do NOT store or copy client business data
• We immediately look away from sensitive information
• We access only what’s necessary to provide IT support

Example Scenario:

✓ Appropriate Access:

Client: “My QuickBooks won’t open” Provider: [Remote into system, sees QuickBooks error, checks file path, verifies file integrity, fixes file lock issue] Provider accesses: QuickBooks application, file system, error logs Provider does NOT access: The accounting data inside QuickBooks files

✗ Inappropriate Access:

Provider: [While fixing email issue, opens and reads client’s confidential emails out of curiosity] This violates our policy and confidentiality obligations

11.3 Client Remains Data Controller

Client’s Responsibilities:

Business clients are solely responsible for:

• Legal Compliance: All data protection and privacy laws (GDPR, CCPA, state laws, IRS regulations)
• Data Security: Implementing appropriate security policies and procedures
• User Training: Training their staff on data handling and privacy
• Incident Response: Data breach notification and response decisions
• Data Subject Rights: Responding to access, deletion, and other privacy requests
• Vendor Management: Ensuring all their vendors (including us) have appropriate safeguards
• Record Keeping: Maintaining records of processing activities as required by law

Our Role:

• Implement technical security measures as contracted
• Provide incident notification if we discover security issues
• Cooperate with client’s incident response
• Sign Business Associate Agreements (BAAs) if required for HIPAA (although accounting data typically not HIPAA-covered)

11.4 Business Associate Agreements (BAA)

HIPAA and BAAs:

Accounting practices typically do NOT handle Protected Health Information (PHI) and therefore do NOT need HIPAA Business Associate Agreements.

However, if your practice:

• Provides bookkeeping for healthcare providers
• Handles medical billing or coding
• Has access to patient health information

Then:

• You may require a Business Associate Agreement
• Contact us to discuss: privacy@itsidekick.co
• BAA available upon request for qualifying situations

Standard Contracts: Our Master Services Agreement includes:

• Confidentiality obligations
• Data security requirements
• Incident notification procedures
• Limitations on data use
• Adequate for most accounting firm needs

11.5 Technical and Organizational Measures

What We Implement:

As technical service provider, we implement:

Access Controls:

• Unique user accounts for each technician
• Multi-factor authentication required
• Role-based access controls
• Principle of least privilege
• Access logs maintained

Encryption:

• TLS 1.2+ for all remote connections
• Encrypted VPN where applicable
• Encrypted storage of support tickets and system data
• Encrypted backup of monitoring data

Monitoring and Logging:

• Security event logging
• Access logs for audit trail
• Intrusion detection systems
• Regular log review

Incident Response:

• 24/7 security monitoring
• Documented incident response procedures
• Notification within 48 hours of discovery
• Cooperation with client’s response efforts

Vendor Management:

• Vetted third-party tools and services
• Contracts with data protection requirements
• Regular vendor security assessments

11.6 Data Breach Notification

If We Discover Potential Breach:

1. Immediate Containment:
   • Take immediate action to contain incident
   • Prevent further unauthorized access
   • Preserve evidence
2. Client Notification:
   • Notify client within 72 hours of discovery (in compliance with GDPR requirements)
   • Provide details: what happened, what data may be affected, when discovered
   • Explain containment actions taken
3. Investigation Support:
   • Provide detailed logs and evidence
   • Cooperate with client’s investigation
   • Coordinate with client’s incident response team
4. Client’s Responsibility:
   • Client determines legal notification requirements
   • Client notifies affected individuals per applicable law
   • Client notifies regulatory authorities if required
   • Client makes all legal and compliance decisions

Important:

• Our notification does NOT constitute admission of liability
• Client responsible for determining breach reporting obligations
• Client should consult legal counsel for breach response
• We provide technical facts, not legal advice

11.7 Subprocessors and Vendors

Our Key Vendors That May Access Client Systems:

1. Remote Monitoring & Management (RMM):
   • Examples: NinjaOne, Atera
   • Purpose: System monitoring, remote access, automated maintenance
   • Data Accessed: System health data, configurations, monitoring metrics
   • Location: US-based vendors
   • Safeguards: Encrypted connections, access controls, vendor contracts
2. Ticketing System:
   • Examples: Freshdesk, HubSpot
   • Purpose: Support ticket management
   • Data Accessed: Ticket descriptions, screenshots, support history
   • Location: US-based vendors
   • Safeguards: Encryption, access controls, data retention policies
3. Microsoft 365:
   • Purpose: Email, document storage, Teams meetings
   • Data Accessed: Communications between us and client
   • Location: Microsoft global infrastructure
   • Safeguards: Microsoft’s enterprise security and compliance
4. Other Tools:
   • Security monitoring tools
   • Backup verification tools
   • Network diagnostic tools

Vendor Updates:

• We may change vendors as technology evolves
• Material changes to subprocessors will be communicated
• Clients may object to new subprocessors per MSA

11.8 Data Retention After Termination

When Service Agreement Ends:

1. Immediate Actions:
   • Remove monitoring software from client systems (within 30 days)
   • Disable remote access to client systems
   • Stop collecting monitoring data
2. Data Retention:
   • Support ticket history: 3 years (legal and business record purposes)
   • System monitoring data: Deleted within 90 days
   • Client contact information: 3 years (business records)
   • Payment records: 7 years (tax requirements)
3. Data Return or Destruction:
   • Upon request, provide copy of support ticket history
   • Securely delete monitoring data after retention period
   • Confirm deletion in writing if requested
4. Exceptions:
   • Data retained longer if required by law
   • Data retained for ongoing legal proceedings
   • Aggregated, anonymized data may be retained indefinitely

---

12. THIRD-PARTY LINKS AND SERVICES

12.1 Links to Third-Party Websites

Our website and communications may contain links to third-party websites, including:

• Vendor websites (Microsoft, Stripe, etc.)
• Industry resources and publications
• Client websites (with permission)
• Social media platforms
• Partner or affiliate sites

Important:

• This Privacy Policy does NOT apply to third-party websites
• We are not responsible for privacy practices of third-party sites
• We encourage you to review privacy policies of any site you visit
• Linking does not imply endorsement or affiliation

12.2 Third-Party Tools and Integrations

We use various third-party tools to deliver our services:

Each Has Own Privacy Policy:

• Microsoft 365: microsoft.com/privacy
• Stripe: stripe.com/privacy
• Google Analytics: policies.google.com/privacy
• RMM vendors: [respective vendor policies]

Our Responsibility:

• Conduct due diligence on vendor privacy practices
• Require contractual data protection commitments
• Monitor vendor compliance
• Notify clients of material vendor changes

Your Responsibility:

• Review vendor privacy policies if concerned
• Understand how your data may be used
• Contact us with questions about specific vendors

12.3 Social Media

We maintain presence on social media platforms:

• LinkedIn
• Facebook
• Twitter/X
• YouTube (potential future)

When You Interact:

• Your interactions governed by platform’s privacy policy
• We may see your public profile information
• We do not collect personal information from social media except what you voluntarily provide
• Messages sent via social media may not be secure

Recommendations:

• Use Support Portal or email for sensitive communications
• Review privacy settings on social media platforms
• Understand platforms may use your data for advertising

---

13. ADDITIONAL INFORMATION

13.1 Email Security

Email Is Not Fully Secure:

• Standard email is not encrypted end-to-end
• Email may be intercepted during transmission
• Email providers may scan content

Best Practices:

• Do not send sensitive personal information via email (SSNs, passwords, credit card numbers)
• Use Support Portal for submitting sensitive information
• Contact us if you need secure file transfer method

13.2 Account Security

Your Responsibilities:

• Strong Passwords: Use unique, complex passwords (12+ characters, mixed case, numbers, symbols)
• MFA: Enable multi-factor authentication if available
• Private Credentials: Never share passwords with anyone
• Secure Devices: Keep your devices secure and updated
• Log Out: Log out of shared or public computers
• Suspicious Activity: Report immediately if you suspect unauthorized access

Our Commitments:

• We will NEVER ask for your password via email or phone
• We will NEVER ask you to disable security features
• We use industry-standard authentication and session management

13.3 California Shine the Light

California residents may request information about our disclosure of personal information to third parties for their direct marketing purposes.

Our Practice: We do NOT share personal information with third parties for their direct marketing purposes.

To Submit Request: Email: privacy@itsidekick.co Subject: “California Shine the Light Request”

13.4 Nevada Privacy Rights

Nevada residents may opt out of the sale of certain covered information.

Our Practice: We do NOT sell covered information as defined by Nevada law.

If we ever change this practice, Nevada residents may opt out by emailing: optout@itsidekick.co

13.5 Accessibility

We are committed to making our Privacy Policy accessible to individuals with disabilities.

If you need this Privacy Policy in alternative format:

• Large print
• Screen reader compatible
• Other accessible format

Contact: privacy@itsidekick.co

---

14. QUESTIONS AND COMPLAINTS

14.1 Contact Us

For Privacy Questions or Concerns:

Email: privacy@itsidekick.co

Mail: AVD Consulting AB dba IT Sidekick Attn: Privacy Officer (Jacob Lindqvist) Sköndalsvägen 73 128 66 Stockholm, Sweden Organization Number: 559175-9138

Response Time: Within 5 Business Days for initial response

14.2 Complaints and Disputes

If You Have Privacy Concern:

1. Contact Us First:
   • Email privacy@itsidekick.co with detailed description
   • We will investigate and respond within 15 Business Days
   • We take all privacy concerns seriously
2. Regulatory Authorities: If not satisfied with our response, you may contact:United States:
   • Federal Trade Commission: ftc.gov/complaint
   • State Attorney General (varies by state)
   • California Attorney General (CA residents): oag.ca.gov/privacy
   European Union / EEA:
   • Swedish Data Protection Authority (IMY): www.imy.se
   • Your local data protection authority: edpb.europa.eu
   Canada:
   • Office of the Privacy Commissioner: priv.gc.ca
3. Legal Action:
   • You have right to pursue legal remedies under applicable law
   • See Master Services Agreement for dispute resolution provisions
   • Arbitration clause may apply per MSA

14.3 Good Faith Resolution

We are committed to resolving privacy concerns in good faith:

• We will respond promptly to all inquiries
• We will investigate thoroughly
• We will take corrective action when appropriate
• We will learn from feedback to improve practices

---

15. CONSENT AND ACCEPTANCE

15.1 How You Consent to This Privacy Policy

By doing any of the following, you consent to this Privacy Policy:

Website Use:

• Visiting our website
• Submitting forms on our website
• Accepting cookies (for non-essential cookies)

Service Use:

• Signing Master Services Agreement
• Creating account on Support Portal
• Submitting support tickets
• Participating in training or service delivery

Communication:

• Emailing us or calling us
• Subscribing to newsletter
• Requesting information about services

15.2 Withdrawal of Consent

Where processing is based on consent, you may withdraw consent at any time:

Marketing Communications:

• Click “unsubscribe” in emails
• Email optout@itsidekick.co
• Update preferences in account settings

Cookies:

• Adjust browser settings
• Disable specific cookie categories
• See Section 5 for instructions

Account and Services:

• Delete your account
• Terminate service agreement per MSA
• Request deletion of personal information

Effect of Withdrawal:

• Withdrawal does not affect lawfulness of processing before withdrawal
• We may still process information on other legal bases (legal obligation, contract performance)
• Some withdrawals may affect our ability to provide services

15.3 Children and Consent

If you are under 18 years old:

• You must have parent or guardian consent to use our services
• Our services are designed for business use by adults
• Parents: Contact us if child provided information without permission

---

APPENDIX A: DEFINITIONS

Business Day: Monday through Friday, excluding US federal holidays

Client: Business entity with active Master Services Agreement with IT Sidekick

Coverage Hours: 8:00 AM to 4:00 PM Eastern Time on Business Days

EEA: European Economic Area (EU member states plus Iceland, Liechtenstein, Norway)

Incidental Access: Unintentional viewing or exposure to data that occurs during IT support delivery, not intentional collection or use

Personal Information / Personal Data: Information that identifies, relates to, or could reasonably be linked to an individual or household

Processing: Any operation performed on personal information, including collection, storage, use, disclosure, or deletion

RMM: Remote Monitoring and Management software used for system monitoring and remote access

Sensitive Personal Information: Social Security Number, financial account numbers, precise geolocation, health information, biometric data, and similar categories requiring special protection under privacy laws

Support Portal: IT Sidekick’s online platform for submitting and tracking support tickets

User: Individual using IT Sidekick’s services, including business client employees and individual contacts

---

APPENDIX B: CONTACT INFORMATION

General Privacy Inquiries:

• Email: privacy@itsidekick.co
• Response: Within 5 Business Days

Privacy Rights Requests (Access, Deletion, etc.):

• Email: privacy@itsidekick.co
• Subject: “Privacy Rights Request”
• Response: Within 30 days

Data Breach Concerns:

• Email: security@itsidekick.co
• Subject: “Security Incident”
• Response: Within 24 hours

Marketing Opt-Out:

• Email: optout@itsidekick.co
• Or click “unsubscribe” in any marketing email
• Effective: Within 10 Business Days

General Support:

• Email: support@itsidekick.co
• Portal: https://support.itsidekick.co

Business Address: AVD Consulting AB dba IT Sidekick Sköndalsvägen 73 128 66 Stockholm, Sweden Organization Number: 559175-9138

Service Operations: Remote operations from Sweden Serving US-based clients during US business hours

---

APPENDIX C: INTERNATIONAL DATA TRANSFER MECHANISMS

Standard Contractual Clauses (SCCs)

When we transfer personal data from EEA to countries without adequate protection, we use European Commission-approved Standard Contractual Clauses.

Current SCC Framework:

• European Commission Implementing Decision (EU) 2021/914
• Covers controller-to-processor and processor-to-processor transfers
• Includes supplementary measures as recommended by EDPB

To Request Copy: Email privacy@itsidekick.co with subject “SCC Request”

Transfer Impact Assessment

We conduct Transfer Impact Assessments (TIA) for transfers to countries without adequacy decisions:

• Assess laws and practices in receiving country
• Evaluate whether supplementary measures needed
• Document decision-making process
• Re-assess when circumstances change

Data Processing Agreements

Our vendor contracts include:

• Data protection and security requirements
• Limitations on data use
• Subprocessor requirements
• Audit rights
• Breach notification obligations

---

APPENDIX D: PRIVACY POLICY SUMMARY

Quick Reference Guide

What We Collect:

• Contact information (name, email, phone)
• Business information (company, industry, size)
• Payment information (via Stripe)
• Support ticket information and communications
• Website usage data (cookies, analytics)
• System monitoring data (for business clients with monitoring services)

How We Use It:

• Provide IT support services
• Process payments and billing
• Communicate about services
• Improve our services
• Comply with legal obligations
• Prevent fraud and abuse

How We Protect It:

• Encryption (in transit and at rest)
• Access controls and MFA
• Security monitoring
• Background checks for staff
• Regular security training
• Incident response procedures

Who We Share With:

• Service providers and vendors (Microsoft, Stripe, RMM tools, etc.)
• Legal requirements (subpoenas, court orders)
• Business transfers (mergers, acquisitions)
• With your consent

We Do NOT:

• Sell your personal information
• Share for third-party marketing
• Intentionally collect children’s information
• Use data beyond what’s necessary for services

Your Rights:

• Access your information
• Correct inaccurate information
• Delete your information (with exceptions)
• Opt out of marketing
• Export your data
• Object to processing

How to Exercise Rights: 

Email: privacy@itsidekick.co 

Response: Within 30 days

Questions: Email: privacy@itsidekick.co