Privacy Policy

This Privacy Policy describes how Mahoney IT Group USA LLC (“Mahoney IT”, “we”, “us”, or “our”) collects, uses, discloses, and protects Personal Information when you visit our website at mahoney-it.tech (the “Site”), submit the contact form, or otherwise interact with us online.

This Site is operated by Mahoney IT Group USA LLC and is directed at business users located in the United States. We also maintain a separate German website at mahoney-it.com, which is governed by a separate Datenschutzerklärung under EU law. If you are located in the European Union or the European Economic Area, please refer to Section 15 (“International Visitors”).

This Policy applies to information we collect through the Site. We do not issue a separate privacy notice for the Mahoney Control platform; data processing within the platform is governed contractually by a Master Services Agreement (MSA) and, where required by applicable data protection law, a separately executed Data Processing Addendum (DPA) between Mahoney IT and its customers.

The business responsible for the processing of your Personal Information is:

Mahoney IT Group USA LLC is part of the Mahoney IT group of companies, which maintains offices across North America, Europe, and Asia. For inquiries from European residents relating to EU-processed data, please also see the Datenschutzerklärung at mahoney-it.com.

• “Personal Information” (PI) means any information that identifies, relates to, describes, or could reasonably be linked with a particular individual or household, as defined by the California Consumer Privacy Act (“CCPA”) and the California Privacy Rights Act (“CPRA”).
• “Sensitive Personal Information” (Sensitive PI) has the meaning given in CPRA § 1798.140(ae).
• “Service Provider” has the meaning given in CCPA § 1798.140(ag) and refers to third parties we engage to process PI on our behalf.
• “Sell” and “Share” have the meanings given in CCPA/CPRA. We do neither.

In the past 12 months, we have collected the following categories of Personal Information:

Sensitive Personal Information (CPRA)

We do not collect Sensitive Personal Information as defined by CPRA § 1798.140(ae). This includes government-issued identifiers (SSN, driver’s license), account login credentials in combination with passwords, precise geolocation, racial or ethnic origin, religious or philosophical beliefs, genetic or biometric data, health data, or data about sex life or sexual orientation.

Information We Do Not Collect

• We do not set tracking, analytics, or advertising cookies. Cloudflare Turnstile may set a strictly necessary cookie during contact form submission as part of its bot-detection process; this cookie is classified as strictly necessary and does not track you across sites.
• We do not currently use third-party analytics tools, marketing or advertising tracking pixels, behavioral profiling, or automated decision-making that produces legal effects.
• Any future addition of such services will be reflected in this Policy before the service becomes active. In case of material changes, we will provide additional notice as required by law.

We use the Personal Information we collect for the following business purposes:

We do not use Personal Information for cross-context behavioral advertising, targeted advertising, profiling, or for sale to third parties.

We engage a limited number of Service Providers to support the operation of the Site. All Service Providers are contractually restricted from using your Personal Information for any purpose other than the specific services they perform for us.

Each Service Provider is contractually bound by its standard Data Processing Agreement or equivalent terms, which we accept as part of our service agreements with them.

We may also disclose Personal Information when required by law, to enforce our Terms, or to protect our rights or the rights of others.

We do not sell Personal Information as defined by the CCPA/CPRA, and we have not sold Personal Information in the preceding twelve (12) months. We do not share Personal Information for cross-context behavioral advertising, and we have not done so in the preceding twelve (12) months.

We also do not use or disclose Sensitive Personal Information for any purpose other than those permitted without the right to limit under CCPA § 1798.121(d).

Because we do not sell or share Personal Information, there is no action for you to take to opt out of such activities at this time. This statement is provided to comply with CCPA/CPRA § 1798.135 and equivalent requirements under other U.S. state privacy laws.

If this practice changes in the future — for example, if we begin using advertising cookies or tracking pixels — we will update this Policy, provide clear notice, and implement a compliant opt-out mechanism (including a “Your Privacy Choices” link in the website footer) before any such sharing begins.

We retain Personal Information only as long as necessary to fulfill the purposes set out in this Policy, comply with legal obligations, resolve disputes, and enforce our agreements.

Server logs (IP addresses, request metadata)

Retained for the duration provided by our hosting provider (typically up to thirty (30) days) for security, debugging, and abuse prevention, then automatically deleted or anonymized.

Contact form inquiries

Retained for six (6) months after resolution of the inquiry for operational follow-up. Where the inquiry results in a business relationship or contract, records may be retained for up to seven (7) years to meet U.S. tax and commercial record-keeping requirements.

Double-opt-in confirmation records

Retained for at least three (3) years after the inquiry is closed, as evidence of your lawful consent to contact under applicable anti-spam and consumer-protection laws (e.g., CAN-SPAM, TCPA, and state UDAP statutes).

Retention following a deletion request

Where we are legally required to retain records beyond a verified deletion request (e.g., for tax, audit, or dispute-resolution purposes), we retain only the minimum information necessary and restrict further use to that legal purpose.

We take the security of Personal Information seriously. We implement administrative, technical, and physical safeguards designed to protect Personal Information against unauthorized access, disclosure, alteration, or destruction. These include encrypted transport (HTTPS/TLS), access controls, logging and monitoring, and periodic review of our security practices.

No method of transmission over the internet or electronic storage is one hundred percent secure. If we become aware of a security incident affecting your Personal Information, we will notify you and applicable regulators as required by law.

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with the following rights with respect to your Personal Information:

To exercise any of the rights described in Section 10, please contact us at info@mahoney-it.com with “Privacy Request” in the subject line, or via mail at the address listed in Section 2.

Identity Verification

To protect your Personal Information and prevent unauthorized disclosure, we may need to verify your identity before responding to your request. Verification may involve asking you to confirm specific pieces of information already in our records (such as the email address, company name, and approximate date of your inquiry). We will request only the information reasonably necessary to verify your identity. Identity verification is a separate process from the double-opt-in step used for contact form submissions and is not inferred from it.

Authorized Agents

You may designate an authorized agent to make a request on your behalf. We will require written proof of authorization (e.g., a signed permission or power of attorney) and may require you to verify your identity directly with us.

Response Timeframes

We will respond to verifiable consumer requests within the timeframes required by applicable law — generally forty-five (45) days under CCPA/CPRA, extendable by an additional forty-five (45) days where reasonably necessary, with notice to you.

No Fee

We will not charge a fee for responding to a verifiable consumer request unless it is manifestly unfounded or excessive, as permitted by law.

Appeal

Where applicable state privacy law provides a right to appeal a refusal to act on a request, and we decline to act on your request, we will inform you of the appeal procedure available under that state’s law.

Residents of other U.S. states with comprehensive privacy laws may have rights substantially similar to those described in Section 10, subject to that state’s specific definitions, thresholds, and exceptions.

U.S. State Rights

In particular, residents of the following states have enumerated privacy rights under the laws of their respective states, which we honor to the extent those laws apply to our processing of your Personal Information:

• Florida — Florida Digital Bill of Rights (FDBR)
• California — California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA); see Section 10 above
• Texas — Texas Data Privacy and Security Act (TDPSA)
• Virginia — Virginia Consumer Data Protection Act (VCDPA)
• Colorado — Colorado Privacy Act (CPA)
• Connecticut — Connecticut Data Privacy Act (CTDPA)

To the extent these laws apply to our processing of your Personal Information, we honor the applicable rights — including access, correction, deletion, portability, and opt-out of targeted advertising, sale, or profiling with significant effects — through the same contact procedure described in Section 11.

Residents of other U.S. states with comparable privacy laws (including, without limitation, Utah, Oregon, Montana, Iowa, Delaware, New Hampshire, New Jersey, Tennessee, Minnesota, Maryland, and Rhode Island) may exercise the rights provided under their state’s law through the same contact procedure.

Because we do not sell Personal Information, do not engage in cross-context behavioral advertising, and do not conduct profiling that produces legal or similarly significant effects, most opt-out rights under these laws do not currently require any action on your part.

Global Privacy Control (GPC). The Global Privacy Control is a browser-based signal that allows you to communicate your privacy preferences to websites you visit. We honor valid GPC signals as an opt-out request under the CCPA/CPRA and applicable state privacy laws (including Colorado, Connecticut, and Texas), to the extent those laws require honoring such signals.

Our server automatically detects the Sec-GPC HTTP header when you visit the Site. Because we do not currently sell or share Personal Information for cross-context behavioral advertising, the GPC signal has no Personal Information to suppress at this time. The honoring mechanism is nonetheless active: if we ever begin selling or sharing Personal Information, visitors with GPC enabled will automatically be excluded from such activity without any further action on their part.

Do Not Track (DNT). Web browsers may offer a “Do Not Track” setting. Because no industry standard has emerged for how websites should interpret this signal, we do not currently respond to DNT signals.

This Site is directed to businesses, not to children. We do not knowingly collect Personal Information from children under the age of thirteen (13). If you believe a child under 13 has provided Personal Information to us, please contact us at info@mahoney-it.com and we will promptly delete such information.

In addition, we do not knowingly sell or share the Personal Information of minors under the age of sixteen (16) under CCPA/CPRA § 1798.120(c).

We are committed to making this Privacy Policy accessible to all visitors. If you have difficulty accessing any part of this Policy due to a disability, please contact us at info@mahoney-it.com and we will work with you to provide the information in an alternative format.

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make changes, we will update the “Effective Date” at the top of this Policy. For material changes, we will provide additional notice on the Privacy Policy page before the changes become effective.

We encourage you to review this Policy periodically to stay informed about our practices.

If you have questions about this Privacy Policy, about how we handle Personal Information, or if you wish to exercise any of the rights described above, please contact us:

For inquiries relating to EU/UK/Swiss data protection matters handled by our European entity, please also see the Datenschutzerklärung at mahoney-it.com, which lists the relevant EU contact channel.