Privacy Policy

Effective Date: 01/01/2019 | Last Updated: 3/17/2025

Charm City Networks ("CCN," "we," "us," or "our") is committed to protecting the privacy of our clients and website visitors. This Privacy Policy describes how we collect, use, retain, and protect personal information in the course of providing our managed IT services (including cloud hosting, network management, and data backup) and operating our website. It also outlines the choices and rights you have regarding your personal data.

1. Scope

This Privacy Policy applies to all personal data processed by Charm City Networks, including:

Client Data: Information we collect or handle on behalf of clients in providing cloud hosting, network management, data backup, and other IT services. This includes data clients store on our systems, data we manage or back up, and any personal information clients provide to us for service delivery.

Website Visitor Data: Information collected from visitors to our websites, portals, or online services, including contact information provided by visitors and technical data collected automatically through cookies or similar technologies.

By using our services or visiting our website, you acknowledge that your information will be handled as described in this Policy. In some cases, we act as a "data processor" for our clients (handling data on their instructions), and in others we act as a "data controller" (such as for data collected on our own website). We adhere to applicable privacy laws in both roles.

2. Data Collection

1. Information Collected from Clients: When you become a client, we collect the information needed to set up and deliver our services. This may include:

  • Contact and Account Information: Name, business name, job title/role, email address, phone number, billing address, and payment details (for service fees).
  • Service Credentials and Configuration: Network diagrams, IP addresses, system credentials, or configuration settings necessary to manage and support your IT infrastructure. This can include usernames or IDs for systems we monitor or maintain (we will never ask for plain-text passwords unless necessary and will handle all access information securely).
  • Data Stored or Transmitted via Our Services: Any files, databases, emails, or other data that you host on our cloud servers or that we back up for you as part of our services. This data remains under your ownership; we only process it to fulfill our obligations to you.
  • Support Tickets and Communications: If you contact our helpdesk or support team, we may record details of the problem, your system information, and any screenshots or logs you provide, along with the communication records (emails, calls) for troubleshooting and quality assurance.

We collect client information directly from you (e.g. through service agreements, onboarding forms, support requests) or through automated means (for example, our monitoring software may collect system metrics or error logs from your devices). All such collection is done on a need-to-know basis to provide and improve our services.

2. Information Collected from Website Visitors: When you visit charmcitynetworks.com or our related sites, we may collect certain information about your visit:

  • Contact Forms and Inquiries: If you fill out a form to request information about our services, subscribe to a newsletter, or contact us, we will collect the information you provide (such as name, email, phone, company, and the content of your message). We use this only to respond to your inquiry or provide the requested service.
  • Browsing Data: We gather standard internet log information and details of visitor behavior patterns. This includes your IP address, browser type, device identifiers, pages viewed, date/time of visit, and referring website. We collect this data to analyze web traffic and improve our website's usability.
  • Cookies and Similar Technologies: Our website uses "cookies" to enhance user experience and for analytics. Cookies are small text files placed on your device that allow us to remember your preferences and understand how you use our site. For example, we may use cookies to remember your language preferences or to distinguish between new and returning visitors. We also use third-party analytics services (like Google Analytics) that set their own cookies to collect information on our behalf about site traffic and interactions. You can adjust your browser settings to refuse cookies or alert you when cookies are being used; however, some features of our site may not function properly without cookies.

We do not intentionally collect sensitive personal information from website visitors (such as social security numbers or financial account details) through our site. We also do not knowingly collect any personal data from children under 16 without appropriate consent; our services and website are intended for business use by adults.

3. Data Usage

We use the collected information for the following purposes:

  • Service Delivery: We process client data to provide our managed IT services and cloud solutions. This includes using your information to set up and maintain accounts, host your data and applications, monitor network performance, perform data backups and disaster recovery, and provide technical support. In short, your data is used only as necessary to fulfill our contract with you and ensure your IT systems run smoothly.
  • Service Improvement and Operations: We may analyze usage data (both client system data and website analytics) to troubleshoot issues, improve our services' reliability and features, and develop new offerings. For instance, analyzing network performance logs can help us optimize our network management tools. Website analytics help us understand user interests and improve site content. Such usage is typically done on aggregated or anonymized data when possible, and any personal identifiers are minimized.
  • Communication: We use contact information to communicate with clients and prospects. This includes sending service-related communications such as: notices about system maintenance or downtime, security alerts, updates on new features, and responding to support requests. We may also send marketing or promotional emails about our services to clients or to those who have inquired about our services if you have not opted out. You can unsubscribe from marketing emails at any time by using the link in the email or contacting us directly. We will not send you unsolicited communications if you have opted out or if it's not permitted by law.
  • Security and Fraud Prevention: It is often necessary to process certain data to keep our services and website secure. We may use data (like IP addresses or user activity logs) to detect and prevent fraud, malware, or other malicious activities. This helps protect both CCN and our clients from breaches and unauthorized access. As an MSP, we recognize the importance of robust security measures to safeguard data.
  • Compliance with Legal Obligations: We may process and retain personal information as required to comply with applicable laws and regulations. For example, we might retain billing records for tax purposes, or disclose information if required by a lawful subpoena or government request (as described in "Third-Party Sharing" below).
  • Other Purposes with Consent: If we ever need to use your information for a purpose not covered by the above, we will explain it at the time of collection and, if required, obtain your consent. We will not use personal data in a way that is incompatible with the purposes for which it was collected without informing you and obtaining necessary consent.

We do not use personal data for automated decision-making or profiling that produces legal or similarly significant effects on individuals, unless explicitly agreed to by the individual or required for service delivery (and in such cases, in compliance with applicable law).

4. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes outlined in this Policy, or as required by law or contract. Because we handle different types of data, retention periods can vary:

  • Client Account Information: We retain your account details (name, contact info, agreements, billing records) for as long as you are an active client. After you cease to be a client, we may retain certain account records for a defined retention period (typically up to 7 years from the end of service) to resolve any later disputes, comply with tax and financial record-keeping laws, and enforce our agreements. After this period, or upon your request (if earlier), we will delete or anonymize these records unless we are legally required to keep them longer.
  • Service Data (Client Files and Content): Any data that you store on our cloud platforms or that we manage/backup on your behalf will be retained for as long as needed to provide the service. If you delete files or instruct us to delete specific data during the service term, we will promptly do so (and ensure any backup copies are also deleted within a reasonable timeframe). Upon termination of your service or contract, we will either return all client data to you or securely erase it from our systems after a specified grace period. By default, when a contract ends, we retain client-provided data for 30 days (to allow for transition or recovery if needed), after which it is permanently deleted from our active systems and all backups, unless otherwise required by law or agreed upon in writing.
  • Backup Data: As part of our managed backup services, we may retain multiple backup copies of your data on a rolling basis. For example, we might keep daily incremental backups for the last 30 days and monthly backups for 6 months (this can vary based on the service plan). These backups are used for recovery purposes and are stored securely (with encryption). Older backup files beyond the retention schedule are automatically deleted or overwritten with newer backups. We do not retain backup data indefinitely; it is purged according to the agreed schedule or our standard practice, unless a longer retention is legally mandated or specifically requested by the client.
  • Network and System Logs: Logs from network devices, servers, or security systems that we monitor are generally kept for a limited period (often 90 days to 1 year) for troubleshooting and security review purposes. If such logs contain personal data (e.g., user IDs or IP addresses), we treat them as confidential and restrict access. We may retain specific logs longer if they are relevant to an investigation of an incident or required for legal/audit purposes, but otherwise we delete or anonymize log data after the retention period.
  • Website Visitor Data: Information collected from website visitors (analytics data, cookie data) is retained for as short a period as practical. Web server logs containing IP addresses are typically rotated and deleted within 6 to 12 months. Analytics data may be retained up to 14 months (per Google Analytics' standard settings) to allow year-over-year usage comparisons, after which it is automatically deleted or anonymized. If you contact us through the website (e.g., request a quote), we will retain that inquiry information for as long as needed to respond and follow up, typically up to 1 year unless it leads to a formal business relationship (in which case it becomes client data and is retained as noted above).
  • Email and Communication Records: If you correspond with us via email or other channels, we may retain those communications and our responses for record-keeping, to train our staff, and to improve our services. These records are typically kept for 2 years unless we need to keep them longer for legal reasons (for example, evidence in case of disputes).

At the end of the applicable retention period, we will either securely delete the personal data or anonymize it (so it can no longer be associated with an individual). Secure deletion involves removing data from our live systems and deleting or rendering unreadable any copies in backups. Anonymization may be used for data that has analytical value – for instance, we might retain aggregated service usage statistics that no longer identify any individual or client.

Please note that in certain cases we may need to retain data beyond the stated periods: for example, if there is an ongoing legal proceeding, if the data is required to be retained by law, or if retention is necessary to enforce our agreements. In all cases, we adhere to the principle of retaining data no longer than necessary. If you have any specific questions about our data retention practices for a certain type of data, you can contact us for more detailed information.

5. Data Protection and Encryption

Charm City Networks takes data security very seriously and employs a range of technical and organizational measures to protect personal information from unauthorized access, disclosure, or destruction. We continually update and refine our security practices in line with industry standards and best practices. Key measures we have in place include:

  • Encryption in Transit and At Rest: All sensitive data handled by us is encrypted during transmission over networks (using protocols like HTTPS/SSL/TLS for web traffic, and VPN or secure tunnels for remote management). This means that when data is sent between your systems, our systems, and authorized third parties, it is protected so that eavesdroppers cannot read it. We also encrypt data at rest in our systems and databases. Client data stored on our servers (including backups) is protected by strong encryption algorithms (for example, AES-256 or equivalent), adding an extra layer of security to your stored information. Encryption ensures that even if an unauthorized actor were to gain access to the data, they would not be able to read or use it without the decryption keys.
  • Access Controls and Authentication: We restrict access to personal data strictly to authorized personnel who need that information to perform their job duties. We implement role-based access control (RBAC), ensuring each employee or contractor can only access the systems and data necessary for their role. Administrative access to servers, network devices, or databases that contain client data is tightly controlled. We require strong authentication for all such access, including multi-factor authentication (MFA) wherever possible. MFA (for example, a password plus a one-time code) helps ensure that even if a password is compromised, an unauthorized person cannot log in. We also enforce strong password policies, regular password changes, and session timeouts on our systems to reduce the risk of unauthorized access.
  • Network Security: Our servers and network infrastructure are secured by firewalls, intrusion detection/prevention systems, and continuous monitoring. We segment networks to isolate sensitive data environments. Regular vulnerability scans and penetration tests are performed to identify and address potential security weaknesses. We also deploy anti-malware and endpoint protection on our managed devices to guard against viruses, ransomware, and other threats. Our cloud hosting environments are configured following industry benchmarks for security hardening.
  • Physical and Environmental Security: The data centers and facilities we use (including third-party cloud providers) are secured with measures such as access controls, surveillance, and environmental protections (fire suppression, climate control, backup power). We select hosting partners that have robust physical security certifications (e.g., SSAE 18, ISO 27001) and maintain our own office security to prevent unauthorized data access.

Despite all these measures, it is important to note that no method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your personal data using commercially acceptable means and continually improve our safeguards, we cannot guarantee absolute security. However, we do commit to promptly notify affected clients and users in accordance with applicable laws if we discover a data breach involving your personal information.

6. Third-Party Sharing and Disclosure

We do not sell or rent personal information to third parties for marketing or monetary gain. We only share personal data with third parties in the following circumstances and with appropriate safeguards:

  • Subprocessors and Service Providers: We may share data with trusted third-party service providers who assist us in operating our business and delivering our services. Examples include cloud infrastructure providers (for server hosting and storage), data center operators, backup storage services, email or SMS providers (for sending service notifications), analytics providers (for website usage analysis), or contractors working on our behalf. In all cases, these third parties are bound by confidentiality obligations and data protection agreements. They are only permitted to process your data for our specified purposes and in compliance with this Privacy Policy. We carefully vet our vendors to ensure they have strong privacy and security practices. Our contracts with them require that they maintain compliant privacy and security measures to protect your data.
  • At Client Direction: In some cases, we may hold data that you (the client) intend to share or transfer to a third party as part of the services. For example, if you use our backup service to send data to a third-party storage location, or if you instruct us to collaborate with another vendor (like your website developer or a software provider) who needs access to your systems, we will share data as needed with your consent and direction. We treat the third party as authorized by you, and expect them to uphold appropriate privacy standards.
  • Legal Obligations and Protection: We may disclose personal information to third parties (such as courts, law enforcement or regulatory authorities) when we believe disclosure is necessary to:
    • Comply with a law, regulation, legal process, or governmental request. For instance, we may have to respond to subpoenas, court orders, or investigative demands. Where permitted, we will notify you of such requests or objections.
    • Enforce our contracts, agreements, or policies, including investigation of potential violations.
    • Detect or prevent fraud, security, or technical issues, or to assist in the investigation of potential cybersecurity incidents (for example, sharing information with law enforcement about a breach attempt).
    • Protect the rights, property, or safety of Charm City Networks, our clients, or the public. This includes exchanging information with other companies and organizations for cyberattack protection or credit risk reduction.
  • Business Transfers: If Charm City Networks is involved in a merger, acquisition, sale of assets, bankruptcy, or other business transaction, personal data may be transferred to the successor or acquiring entity as part of the transaction. If such a transfer occurs, we will ensure the recipient is bound to respect your personal data in a manner consistent with this Policy, and we will provide notice of any significant change in data handling.
  • With Consent: Apart from the above, if we ever need to share your information in a way not covered by this Policy, we will explain the situation and obtain your consent before doing so. You have the right to decline such sharing.

Importantly, we do not sell personal information as defined under the California Consumer Privacy Act (CCPA) and its amendments. This means we do not exchange your personal data with third parties for monetary or other valuable consideration. We also do not share personal data with third parties for their own direct marketing purposes unless you have given us permission.

7. International Data Transfers

Charm City Networks is based in the United States, and the primary location of our operations (and data centers we directly control) is in the U.S. However, we may engage cloud providers or subprocessors that store or process data in other countries. For example, if we use a global cloud hosting service, your data might be stored in a data center within the United States or potentially in another jurisdiction (such as within the European Union or other regions), depending on the service and your needs.

Whenever we transfer personal data across national borders, we will ensure that adequate protections are in place to comply with applicable data protection laws. If you are located in the European Economic Area (EEA), United Kingdom, or another region with data transfer restrictions, we will implement appropriate safeguards for any export of your personal information. These safeguards may include:

  • Relying on a transfer mechanism such as the European Commission's Standard Contractual Clauses (SCCs) or other approved contractual clauses, which contractually require the recipient to protect the data to EU GDPR standards.
  • Transferring data only to countries that are deemed to have an "adequate" level of data protection by relevant authorities, where applicable.
  • Ensuring our third-party processors certified compliance frameworks (for example, compliance with the EU-U.S. Data Privacy Framework, if applicable in the future, or others).
  • Conducting transfer impact assessments and employing additional technical measures (like encryption) for data in transit and at rest in foreign jurisdictions.

Your use of our services or submission of information to us (whether as a client or a website visitor) may involve the transfer of your data to the U.S. (and potentially other jurisdictions) for processing and storage. We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Policy. If you have questions about our data transfer practices or require a copy of applicable safeguards, please contact us.

8. Your Privacy Rights

We respect the privacy rights of individuals and strive to comply with all applicable data protection laws, including the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA). Depending on your location, you may have the following rights:

Rights Under GDPR (for EU/EEA/UK Individuals):

  • Right to Access: You can request confirmation of whether we process your data and obtain a copy of your data.
  • Right to Rectification: You can request correction of inaccurate or incomplete data.
  • Right to Erasure: You can request deletion of your data under certain circumstances.
  • Right to Restrict Processing: You can request limits on how we use your data.
  • Right to Data Portability: You can request your data in a structured, machine-readable format.
  • Right to Object: You can object to our processing of your data in certain circumstances.
  • Right to Withdraw Consent: If we rely on your consent, you can withdraw it at any time.

Rights Under CCPA/CPRA (for California Residents):

  • Right to Know: You can request details about the personal information we've collected about you.
  • Right to Access: You can request access to the personal information we maintain about you.
  • Right to Delete: You can request deletion of personal information we've collected from you.
  • Right to Correct: You can request correction of inaccurate personal information.
  • Right to Opt-Out of Sale/Sharing: We do not sell personal information.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your rights.

To exercise your privacy rights, you (or your authorized agent) may submit a request to us through the contact methods listed in the Contact Information section below.

9. Policy Updates

We may update or modify this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make changes, we will update the "Last Updated" date at the top of this Policy. If changes are significant, we will provide a more prominent notice — such as by posting a notice on our website's homepage or emailing clients — prior to the change becoming effective.

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information. If you continue to use our services or website after a Privacy Policy update takes effect, you will be considered to have accepted the updated policy, unless you expressly consent to changes where your consent is required.

10. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us. We are here to help and will respond as promptly as possible.

Contact Details for Privacy Inquiries:

Email: info@charmcitynetworks.com

Phone: 410-514-0300 (please ask for the Privacy Officer or Data Protection contact)

Postal Address: Charm City Networks, 5430 Campbell Blvd Suite 212, White Marsh, MD 21162, USA

For security and privacy reasons, we may ask you to verify your identity before addressing certain inquiries (especially those related to accessing or deleting personal data). If you need to contact our Data Protection Officer or an equivalent privacy contact, please indicate that in your correspondence, and we will direct your query accordingly.