KIT MSP Privacy Policy

Table of Contents

Effective date: November 1, 2025
Who we are: KIT MSP (“KIT MSP,” “we,” “us,” or “our”) provides managed IT, cybersecurity, cloud, and related professional services to business customers. Our website is https://www.kitmsp.com

This Privacy Policy explains how we collect, use, disclose, and safeguard information when you visit kitmsp.com, use our support portal, interact with us for sales or service, or otherwise engage with our business.

Quick summary

  • We collect only what we need to run our website, respond to inquiries, deliver/secure our services, and meet legal obligations.

  • We do not sell or share your personal information for cross‑context behavioral advertising.

  • For managed services, we act as a data processor for our customers and handle their data according to our contracts and Data Processing Addendum (DPA).

  • You have rights over your data. See Your Privacy Rights below.

1) Scope & Roles

  • Website/Marketing/Business Contacts. For information we collect about visitors, prospects, vendors, and partners, KIT MSP is the data controller.

  • Managed Services & Support. For information we process on behalf of our business customers (e.g., device telemetry, tickets, backups), the customer is the data controller and KIT MSP is the data processor/service provider. Our processing is governed by the master services agreement and any applicable Data Processing Addendum (DPA). We will provide a DPA upon request.

2) Information We Collect

We collect information in three main ways: directly from you, automatically through our website/ systems, and from third‑party sources (e.g., your employer, vendors).

A. Information you provide

  • Contact details: name, business email, phone, company, job title.

  • Support & projects: ticket content, remote session notes, device names, configuration details, and files/logs you choose to share for troubleshooting.

  • Account/portal: usernames, role, and audit logs (passwords are stored in hashed form by our identity systems).

  • Payment/billing: billing contact details and transaction metadata (card details are handled by our payment processors; we do not store full card numbers).

  • Recruiting (if you apply): résumé/CV, cover letter, and interview notes.

B. Information collected automatically

  • Website analytics & security: IP address, device/browser type, pages viewed, timestamps, referring URLs, and interactions (for performance, security, and analytics).

  • Cookies & similar tech: see Cookies & Tracking below.

  • RMM/Monitoring (managed services): device identifiers, OS version, installed software/patch status, performance and security telemetry, and event logs as needed to deliver services.

  • Remote support: session metadata (start/end, technician, device) and—if you consent—session recordings or screenshots for quality, audit, or troubleshooting.

C. Information from other sources

  • Your employer (when you are an authorized contact or end‑user for a customer).

  • Vendors/partners (e.g., directory or identity providers, email security tools).

  • Public sources (e.g., company websites, professional profiles used for B2B outreach).

We do not intend to collect sensitive personal information on the website. In managed services contexts, we may process limited sensitive categories (e.g., authentication credentials) strictly to fulfill the contract and secure systems, not for marketing.

3) How We Use Information

We use information to:

  • Provide and support services: operate our website and support portal, triage tickets, deliver remote assistance, monitor/patch systems, and run backups.

  • Secure systems: prevent, detect, and investigate security events, abuse, or fraud; maintain audit logs; enforce acceptable use and access controls.

  • Communicate: respond to inquiries, send service notifications, maintenance advisories, and—if you opt in or it’s permitted for B2B—marketing communications.

  • Improve: develop and enhance our offerings, quality‑assure support, and train staff (using de‑identified or aggregated data where possible).

  • Comply: meet legal, regulatory, tax, and contractual obligations; exercise or defend legal claims.

Legal bases (EEA/UK where applicable)

We rely on contract, legitimate interests (e.g., to secure systems and operate our business), consent (e.g., certain cookies/marketing), and legal obligation.

4) Cookies & Tracking

We use cookies and similar technologies for:

  • Essential operations: site security, login sessions, load balancing.

  • Preferences: remember settings (e.g., display options).

  • Analytics: understand site usage to improve content and performance.

You can control cookies in your browser settings. If required in your region, we display a cookie banner and honor your preferences. We do not use cookies to sell or share your information for cross‑context behavioral advertising.

WordPress specifics (if enabled):

  • Comments: When visitors leave comments, we collect the data shown in the form, plus IP address and browser user‑agent for spam detection. An anonymized string from your email may be sent to Gravatar to display an avatar. After approval, your profile image is public in the context of your comment.

  • Media: Avoid uploading images with embedded location data (EXIF GPS). Visitors can download and extract location data from images.

  • Login/session cookies: WordPress sets temporary/test cookies, login cookies (up to two weeks if “Remember Me”), and screen‑option cookies (up to one year). Editing/publishing a post may set an additional cookie with the post ID (expires after one day).

  • Embedded content: Articles may include content embedded from other sites (e.g., videos). Embedded content behaves as if you visited the other site, which may collect data about you.

5) Managed Services: Remote Access, RMM & Backups

For customers under contract, our tools may:

  • Collect device telemetry (health, patch level, software inventory) to maintain, secure, and support systems.

  • Enable remote assistance where a technician, under your organization’s authorization, can view or control a device to resolve issues.

  • Perform backups and disaster recovery in line with the agreed schedule and retention policies.

We apply the principle of least privilege, enable multi‑factor authentication for administrative access, maintain role‑based access controls, and keep audit logs of administrative actions. Where feasible, we use encryption in transit and at rest.

6) How We Share Information

We do not sell personal information and we do not share it for cross‑context behavioral advertising.

We disclose information only to:

  • Service providers/sub‑processors that help us operate (e.g., hosting, ticketing/PSA, RMM/remote support, email/security filtering, backup/disaster recovery, analytics, payment processing). They are bound by confidentiality and process data only on our instructions.

  • Your organization (the customer) and its authorized users/administrators.

  • Professional advisors (lawyers, accountants) under confidentiality.

  • Authorities where required by law or to protect rights, privacy, safety, or property.

  • Business transfers (e.g., merger, acquisition) subject to this Policy’s protections.

We maintain a current list of sub‑processor categories and will provide specific vendor names upon request or in your DPA.

7) Data Retention

We keep information only as long as necessary for the purposes described or as required by law/contract. Example default retention periods (adjust to your needs):

  • Website leads & contact forms: 24 months after last interaction.

  • Support tickets & device logs: 3–7 years after contract end (audit/compliance).

  • Remote session metadata/recordings: 12 months (unless needed longer for investigations).

  • Backups: per the customer’s backup policy (e.g., daily with 30–365 days retention).

  • Analytics data: 14–26 months depending on tool configuration.

  • Applicant data: 12–24 months (or per local law).

We may retain anonymized/aggregated data indefinitely.

8) Security

We use administrative, technical, and physical safeguards designed to protect information, including:

  • Encryption in transit and, where feasible, at rest;

  • MFA for privileged accounts;

  • Network segmentation & endpoint protections;

  • Vulnerability management & patching;

  • Access controls, logging, and monitoring;

  • Employee training & confidentiality commitments.

No system is perfectly secure. If we detect a breach impacting your information, we will notify you and regulators as required by law and our contracts.

9) International Transfers

If we transfer personal data outside your country (e.g., to the U.S.), we will rely on appropriate safeguards such as Standard Contractual Clauses, an adequacy decision, or other lawful mechanisms. Details are available on request or in your DPA.

10) Your Privacy Rights

Depending on where you live, you may have rights to:

  • Access the personal information we hold about you;

  • Correct inaccurate information;

  • Delete information;

  • Port your information;

  • Restrict or object to certain processing;

  • Withdraw consent where processing is based on consent;

  • Opt‑out of certain uses such as targeted advertising or profiling (we do not engage in these on our site).

How to exercise your rights: Email [privacy@kitmsp.com

11) California Notice at Collection (CPRA)

We collect the following categories of personal information for the business purposes described in this Policy:

Category Examples Sources Purposes Sold/Shared for cross‑context ads
Identifiers name, business email, IP you, your employer, automatic provide services, secure, communicate, analytics No
Customer records billing contact details you/your employer billing, contract No
Commercial info services purchased you/your employer account management No
Internet activity pages viewed, logs automatic security, analytics No
Geolocation (coarse) derived from IP automatic security, localization No
Professional info company, role you/your employer, public B2B communications No
Audio/visual support call recordings (if consented) you support QA, training No
Sensitive info account login credentials (hashed), MFA metadata you/your employer secure access, authentication No

12) Children’s Privacy

We collect the following categories of personal information for the business purposes described in this Policy:

Our website and services are intended for business users. We do not knowingly collect personal information from children under 16. If you believe a child has provided personal information, contact us and we will delete it.

13) Third‑Party Websites & Services

Our site may link to or embed third‑party content and services (e.g., videos, maps, social posts). Data practices of those third parties are governed by their own policies.

14) Changes to This Policy

We may update this Policy from time to time. The “Effective date” will show the latest version. Significant changes will be communicated via the website or email (if appropriate).

15) Contact Us

Email: privacy@kitmsp.com Or Contact Us

16) WordPress‑Specific Details

  • Comments, Media, Cookies, Embedded Content — same behaviors as described above (spam detection, Gravatar hash, EXIF location data in images, login/session cookies, embedded content acting like a visit to the third‑party site).

  • If you request a password reset, your IP address may be included in the reset email for security.