California Privacy Disclosure
CCPA / CPRA Notice at Collection
Last Updated: February 14, 2026
1. Scope of This Notice
This California Privacy Disclosure ("Notice") is provided pursuant to the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, "CCPA"). It applies exclusively to California residents ("consumers") and supplements our main Privacy Policy.
ITOptik ("we," "us," or "our") is a business-to-business IT due diligence platform. Our users are primarily professionals acting on behalf of Private Equity firms, due diligence firms, and target companies undergoing assessment. Where you interact with the Platform in your capacity as an employee or contractor of a business client, certain CCPA provisions may apply differently as permitted under the statute.
2. Categories of Personal Information Collected
In the preceding 12 months, we have collected the following categories of personal information as defined by the CCPA:
| CCPA Category | Examples of Data Collected | Collected? |
|---|---|---|
| A. Identifiers | Full name, email address, phone number, IP address, unique account identifiers | Yes |
| B. Personal information under Cal. Civ. Code 1798.80(e) | Name, address (billing), telephone number | Yes |
| C. Protected classification characteristics | Not collected | No |
| D. Commercial information | Invoice details, payment amounts, transaction identifiers, billing history | Yes |
| E. Biometric information | Not collected | No |
| F. Internet or other electronic network activity | Login timestamps, browser/device information (user agent), session activity, failed login attempts | Yes |
| G. Geolocation data | Approximate location inferred from IP address (not precise GPS geolocation) | Yes |
| H. Sensory data | Not collected | No |
| I. Professional or employment-related information | Job title, company name, role within the platform (e.g., PE firm user, DD firm user) | Yes |
| J. Non-public education information | Not collected | No |
| K. Inferences | AI-generated assessment scores, risk flags, and deal quality evaluations derived from uploaded due diligence documents | Yes |
| L. Sensitive personal information | Account login credentials (email address combined with encrypted password). No other categories of sensitive PI are collected. | Yes (limited) |
3. Sources of Personal Information
We collect personal information from the following sources:
- Directly from you: When you create an account, upload documents, complete assessments, provide interview responses, or contact us.
- From your employer or organization: When an administrator at your firm creates your account or adds you to the Platform on behalf of your organization.
- Automatically from your device: IP addresses, browser and device information, and session activity data are collected automatically when you access the Platform.
- From third-party service providers: Payment confirmation data from our payment processor (Payload.com).
4. Business and Commercial Purposes for Collection
We collect and use personal information for the following business and commercial purposes:
- Providing and maintaining the Platform: Operating the multi-portal due diligence system, managing user accounts, and delivering assessment workflows.
- Processing due diligence assessments: Facilitating document collection, expert review, scoring, and report generation for IT due diligence engagements.
- AI-powered document analysis and scoring: Sending document text and interview transcripts to AI models (Anthropic Claude via AWS Bedrock) to generate analysis results, assessment scores, risk evaluations, and deal memos.
- Payment processing and billing: Generating invoices, processing payments, and maintaining billing records between platform participants.
- Security, fraud prevention, and compliance: Authenticating users, enforcing MFA, monitoring for suspicious activity, maintaining audit trails for SOC2 compliance, and enforcing rate limits.
- Communication: Sending transactional emails including account verification, password resets, document request notifications, and assessment status updates.
- Improving and debugging the Platform: Tracking and resolving errors, monitoring uptime, and improving reliability and performance.
5. Sale and Sharing Disclosure
ITOptik does NOT sell your personal information.
ITOptik does NOT share your personal information for cross-context behavioral advertising.
We have not sold or shared (as those terms are defined under the CCPA) any personal information in the preceding 12 months. We do not have actual knowledge that we sell or share the personal information of consumers under 16 years of age.
We do not use any third-party analytics services, advertising trackers, or ad networks on the Platform. There are no Google Analytics, Facebook Pixel, or similar marketing tracking tools deployed.
6. Categories of Third Parties Receiving Personal Information
We disclose personal information to the following categories of third parties solely for the business purposes described above. These disclosures are made under service provider agreements and are not "sales" or "sharing" under the CCPA.
| Category of Third Party | Provider(s) | PI Categories Disclosed |
|---|---|---|
| Cloud infrastructure and database hosting | Supabase, AWS | A, B, D, F, G, I, K, L |
| AI model providers (document analysis) | AWS Bedrock / Anthropic | Document text and interview transcripts only (may contain A, I) |
| Payment processors | Payload.com | A, B, D |
| Email service providers | Resend | A (email address, name) |
| Error monitoring services | Sentry | F (error context); may include anonymized A |
Category letters reference the CCPA categories listed in Section 2 above.
7. Retention Periods
We retain personal information for only as long as necessary to fulfill the purposes for which it was collected, or as required by law. Below are our retention periods by category:
| Data Category | Retention Period |
|---|---|
| Account identifiers and profile data (A, B, I) | Duration of the account; deleted upon account removal (subject to legal holds) |
| Billing and commercial data (D) | Duration of the business relationship plus applicable tax/financial record-keeping periods |
| Documents and assessment data (K) | Duration of the active business relationship; available for retrieval after termination, then deleted |
| Internet/electronic activity and geolocation (F, G) | Audit logs retained indefinitely (SOC2 requirement); rate limit records auto-deleted after 1 hour |
| Authentication and security data (L) | Duration of the account; credentials are irreversibly hashed and deleted upon account removal |
8. Your California Rights Under CCPA/CPRA
As a California resident, you have the following rights under the CCPA/CPRA:
Right to Know
You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which it was collected, the business or commercial purposes for collection, and the categories of third parties to whom it was disclosed.
Right to Delete
You have the right to request that we delete the personal information we have collected about you, subject to certain legal exceptions (such as data needed to complete a transaction, maintain security, comply with legal obligations, or exercise legal claims).
Right to Correct
You have the right to request that we correct inaccurate personal information that we maintain about you, taking into account the nature of the information and the purposes of processing.
Right to Opt-Out of Sale or Sharing
You have the right to direct a business that sells or shares your personal information to stop doing so. As stated in Section 5, ITOptik does not sell or share your personal information, so there is no sale or sharing from which to opt out. However, this right is available to you should our practices change in the future.
Right to Limit Use of Sensitive Personal Information
You have the right to limit the use and disclosure of sensitive personal information to uses that are necessary to perform the services you request. The only sensitive PI we collect is account login credentials (email combined with encrypted password), which are used solely for the purpose of authenticating your identity. We do not use sensitive PI for any purpose beyond what is necessary to provide the Platform.
Right to Non-Discrimination
We will not discriminate against you for exercising any of your CCPA rights. We will not deny you services, charge you different prices, provide a different quality of service, or suggest that you will receive a different level of service for exercising your rights.
9. How to Exercise Your Rights
To submit a request to know, delete, or correct your personal information, contact us using any of the methods below:
Email: privacy@itoptik.com
Please include "California Privacy Request" in the subject line and specify which right you are exercising.
Verification Process
Before fulfilling your request, we will verify your identity to ensure we are responding to the correct individual. Verification may involve:
- Confirming your email address matches an account in our system
- Requesting additional information that we can match against our records
- For requests to access specific pieces of personal information, we may require a signed declaration under penalty of perjury
Response Timeframe
We will acknowledge receipt of your request within 10 business days and will respond substantively within 45 calendar days of receiving a verifiable request. If we need additional time, we will notify you in writing and may extend the response period by an additional 45 calendar days (for a maximum total of 90 calendar days), explaining the reason for the delay.
11. Financial Incentive Programs
ITOptik does not offer any financial incentive programs, loyalty programs, or price or service differences that are related to the collection, retention, or sale of personal information.
12. Request Metrics
The CCPA requires businesses that receive 10 million or more California consumers' records annually to publish annual metrics regarding consumer requests. As this is a newly published policy with an effective date of February 14, 2026, we have not yet completed a full reporting year. Metrics for consumer privacy requests — including the number of requests received, fulfilled, and denied, and median response times — will be published after the first full reporting period concludes.
13. Contact for Questions
If you have questions or concerns about this California Privacy Disclosure or wish to exercise your rights, please contact us:
For general privacy questions not specific to California, please see our main Privacy Policy.
This policy is provided for informational purposes. For questions about how this policy applies to your specific situation, please consult qualified legal counsel.