Data Protection & Confidentiality

LAST UPDATED: JUNE 29, 2026

This Data Protection & Confidentiality Policy governs how BrandShyp LLC (“we,” “us,” “our”) safeguards the privacy and confidentiality of all confidential information obtained in the course of an engagement — including information received from our clients, from a client’s customers, residents, or stakeholders, and from any other source. It applies to all BrandShyp personnel and any approved subcontractors, and to information in any form (electronic, printed, or verbal). It complements our Privacy Policy, which addresses website-visitor data.

1. What We Treat as Confidential

Confidential information includes any non-public data, records, personally identifiable information (PII), program data, draft materials, strategic plans, stakeholder lists, or analytics provided by or developed for a client — whether or not marked “confidential.” Client data remains the property of the client.

2. Handling & Use

• Confidential information is used solely to perform the contracted services, and is never sold, rented, or disclosed for any unrelated purpose.
• Access is limited to personnel with a need to know to deliver the engagement (least-privilege).
• Client data is not shared with third parties or subcontractors except as required to deliver the services the client has authorized, and only under equivalent confidentiality obligations.

3. Technical & Organizational Safeguards

BrandShyp maintains a NIST SP 800-171-aligned security program (self-assessed, SPRS +90):

• In transit: TLS 1.2+ with enforced security headers.
• At rest: access-controlled storage; secrets vaulted (never stored in code repositories); logs scrubbed of sensitive values.
• Identity & access: TOTP multi-factor authentication, SSH key-only access, and zero-trust controls on internal tools.
• Continuity: nightly encrypted backups with rollback snapshots.
• Defense in depth, applied by default — not bolted on.

4. Compliance with Law

We handle confidential information in compliance with applicable Texas and federal law, including the Texas Data Privacy and Security Act (TDPSA), the Texas Business & Commerce Code, and the Texas Public Information Act, consistent with current opinions of the Texas Attorney General. Where a client designates material as confidential or as trade secret under the Public Information Act, we handle it accordingly.

5. Retention, Return & Destruction

We retain records only as long as necessary to fulfill the engagement or to satisfy a legal retention obligation (client and billing records: minimum 7 years per Texas requirements). On request or at contract close-out, we return or securely destroy client confidential information not subject to a legal hold.

6. Incident Response

On discovery of any suspected unauthorized access to or disclosure of client confidential information, we contain the incident, notify the client’s designated contact promptly, cooperate fully in investigation and remediation, and comply with applicable breach-notification law.

7. Personnel Obligations

All BrandShyp personnel are bound by these obligations as a condition of access, and these obligations survive the end of the engagement.

8. Contact

Confidentiality or data-protection questions:

BrandShyp LLC  |  P.O. Box 90, Elmendorf, TX 78112
[email protected]  (response within 30 days)