Privacy Policy

Contents

1) Scope

This Privacy Policy describes how K/20X Labs handles information: (a) when you visit our website, and (b) when we provide professional services to clients under contract.

2) Data We Handle

2.1 Website Visitors

We keep website data minimal. Depending on configuration, we may process:

• Basic technical logs (e.g., IP address, timestamps, requested URLs, user-agent) generated by servers for security and operational reliability.
• No behavioral analytics by default: we do not use tracking cookies for advertising, cross-site tracking, or profiling.
• No website forms: we do not operate public web forms that collect personal information on this site (contact is handled via email/contract channels).

2.2 Client / Engagement Data

During consulting engagements, we may process business data and (sometimes) personal data contained in client systems (e.g., customer records, employee records, analytics events, identifiers). The exact categories depend on the client’s environment and instructions.

2.3 Sensitive Data

We do not request sensitive personal information via the website. For client engagements, we process only what is necessary for the contracted services and apply additional safeguards where the data is sensitive or regulated.

3) Purposes and Legal Bases

Where GDPR applies, we process personal data only with an appropriate legal basis (e.g., performance of a contract, legitimate interests, consent where required, and compliance with law). Transparency requirements include identifying the controller, purposes, legal basis, recipients, and retention periods.

Website purposes

• Security and reliability: detect abuse, prevent fraud, and maintain service availability.
• Operational analytics (optional): understand aggregate usage and improve the site (only if enabled).

Client services purposes

• Deliver contracted services: data quality, analytics engineering, AI implementation, governance, and operational enablement.
• Security: protect client environments and data processed under contract.
• Legal compliance: comply with applicable laws and lawful requests.

4) Sharing and Disclosures

We do not sell personal information. We do not share personal information for cross-context behavioral advertising.

Service providers / subprocessors

We may use vetted vendors (e.g., hosting providers, email, incident monitoring) to operate our business. When we do, we use contracts and controls appropriate to the risk, and limit access to the minimum necessary for the task.

Legal and safety

We may disclose information if required to comply with law, enforce agreements, or protect the rights, property, or safety of clients, users, or the public.

5) Data Retention

We retain personal data only as long as necessary for the purposes described in this policy, unless a longer retention period is required or permitted by law. Where exact periods cannot be stated, we use objective criteria (e.g., contract duration, legal obligations, dispute windows, security needs).

• Website technical logs: typically retained for a limited period for security and troubleshooting, then deleted or aggregated.
• Client engagement data: retained according to contract, client instructions, and legal requirements; often returned, deleted, or securely archived at the end of the engagement.
• Business records (invoices, contracts): retained as required for tax/accounting/legal obligations.

6) Security

We apply safeguards designed for enterprise environments. Depending on the engagement and system, controls may include:

• Access control (least privilege), strong authentication, and audited admin access.
• Encryption in transit (TLS) and, where applicable, encryption at rest.
• Segmentation of environments and secure secrets management.
• Operational logging and monitoring for suspicious activity.
• Secure development and change control practices for production systems.
• Incident response procedures and contractual notification obligations where applicable.

No method of transmission or storage is 100% secure; we continuously improve controls to match risk.

7) International Transfers

We operate globally and may process data in multiple countries depending on client systems and vendors. Where GDPR applies and data is transferred internationally, we use appropriate safeguards (such as contractual protections and security measures) consistent with applicable requirements.

8) Your Rights (GDPR / US State Privacy)

8.1 GDPR rights (EEA/UK/Switzerland where applicable)

Depending on context and applicability, you may have rights to access, correct, delete, restrict processing, object, and data portability, and to withdraw consent where processing is based on consent.

8.2 California and other US state privacy rights (CCPA/CPRA-style)

Where applicable, you may have rights to know/access, delete, correct, and to opt out of sale/sharing (we do not sell/share for advertising), and to limit use of sensitive information if we were to collect it in a covered context.

8.3 How to exercise rights

Email us at jd@k20x.com with your request. We may need to verify your identity and the scope of the request. If we are acting as a processor/service provider for a client, we may redirect you to the client (the controller/business) to process the request.

8.4 Notice at collection summary (CCPA/CPRA-style)

9) Children

Our services are intended for businesses and professionals. We do not knowingly collect personal information from children under 13 via this website.

10) Changes

We may update this policy to reflect changes in our practices or legal requirements. We will revise the “Last updated” date above.

11) Contact

References for policy structure: GDPR transparency obligations require specific disclosures (controller identity, purposes, legal basis, retention, rights). California privacy rules require a notice at collection including categories, purposes, whether sold/shared, and retention.