Privacy Policy

Last updated: October 22, 2025

This Privacy Notice for Backup Failed Foundation (“Backup Failed,” “we,” “us,” or “our”) explains how we access, collect, use, disclose, and protect personal information when you interact with our services (“Services”). This includes, but is not limited to, situations where you:

• Access our websites which include backupfailed.com or any affiliated domains, subdomains, or pages that reference this Notice.
• Engage our professional services, including IT support, consulting, managed services, system administration, or training.
• Communicate with us through email, phone, SMS, live chat, ticketing systems, or other communication platforms.
• Participate in our community including online forums, webinars, educational events, surveys, or promotional campaigns.

If you have questions or concerns after reading this Notice, contact support@backupfailed.com. If you disagree with this Notice, please refrain from using our Services.

1. Scope & Who We Are

This Notice describes how Backup Failed Foundation (“Backup Failed,” “we,” “us,” or “our”) handles personal information in our role as a data controller. It applies to information we process through our websites, applications, client portals, and service interactions, including all managed IT, consulting, and support activities.

This Notice does not apply to:

• Third-party websites or platforms that may be linked from our content or communications.
• Independent services provided by vendors, partners, or other entities operating under their own privacy practices.

We encourage you to review the privacy notices of any third-party services you engage with to understand how they handle your information.

2. What We Collect (Categories)

We collect and process personal information as reasonably necessary to operate, improve, and secure our services. The categories of information we collect depend on how you engage with us and the specific services you use:

• Identifiers and contact information: such as your name, business or personal email address, phone number, mailing address, organization, and professional title.
• Account and authentication data: including usernames, login details, and—when authorized as part of managed IT or security services—credentials that you permit us to handle, rotate, or administer on your behalf.
• Communications and service records: such as emails, tickets, chat or SMS logs, attachments, configuration notes, and change documentation generated during support or consulting engagements.
• Device and usage information: including IP addresses, browser and operating system details, pages visited, time stamps, diagnostic data, and system error logs collected automatically through our websites or monitoring tools.
• Payment and billing information: limited invoice and transaction details (e.g., payment status, brand, and last four digits of a card number) received from our payment processor. We do not store or access full card numbers.
• Location information: general location derived from IP address or similar network indicators. We do not collect or track precise GPS data.
• Optional social or federated login data: basic profile information shared by the identity provider (see Section 11 for details).

We do not intentionally seek sensitive characteristics (e.g., race, health). We may process account credentials or similar “sensitive personal information” only to provide managed IT services you request, with access restricted by least privilege.

3. How We Collect It (Sources)

We collect personal information through several channels, depending on how you interact with us and the nature of the services we provide. Most of the information we handle is shared directly with us or generated through the systems you ask us to support.

Direct interactions: You may provide information to us when you complete online forms, request support, sign agreements, send emails or text messages, call our team, or submit service tickets. These exchanges often include basic contact details and any context you choose to share about your technical environment or organization.

Authorized systems and managed environments: When you engage us for managed IT, cloud, or security services, we collect operational data from the systems you authorize us to manage. This may include telemetry, configuration data, alert notifications, and service health information used to maintain functionality, monitor uptime, and ensure compliance with your requested service scope.

Partner and platform data: We also receive limited technical data from our trusted service providers, such as communication delivery logs from Twilio, service status alerts from Microsoft, or analytics and uptime signals from similar vendors. These inputs help us ensure reliable performance and timely support.

Automated website and portal data: When you visit our websites or client portals, certain information is collected automatically through cookies, access logs, and similar technologies. These tools help us secure our systems, analyze performance trends, and improve user experience. You can adjust cookie preferences through your browser settings.

4. Why We Use It (Purposes)

We use personal information to operate our organization and deliver the services you request in a secure, reliable, and efficient manner. This includes using information to provide technical support, administer client environments, manage user authentication, and maintain account records. We also use certain data to communicate with you about service updates, maintenance notifications, or changes to our terms and policies.

Personal information may be processed to protect the integrity and security of our systems, prevent unauthorized access, detect and respond to fraud or abuse, and ensure compliance with our internal policies, contractual commitments, and applicable laws. When necessary, we may use data to investigate, prevent, or take action regarding potential violations of agreements or misuse of our services.

We also analyze information to improve our documentation, user experience, and operational processes. This may include troubleshooting issues, reviewing performance data, and developing new features that enhance reliability and accessibility.

Finally, we may use your contact information to send educational or promotional content, updates, or event invitations—but only if you have explicitly opted in to receive such communications. You may opt out of marketing communications at any time by following the instructions provided in those messages.

5. SMS Program Privacy (A2P Messaging)

If you choose to provide a mobile number and opt in to receive text messages, we may send SMS communications related to your services—such as alerts, account or security notifications, and support updates. Message frequency varies based on your service activity. Standard message and data rates may apply depending on your mobile carrier.

You may opt out of receiving SMS messages at any time by replying STOP, or request assistance by replying HELP. We do not sell, rent, or share mobile numbers with unaffiliated third parties for their own marketing purposes. Carriers are not responsible for delayed or undelivered messages, and message delivery may vary by region or carrier network availability.

SMS communications are delivered through Twilio’s A2P messaging platform, which processes limited data (such as sender, recipient, and timestamp) to facilitate message delivery. For details on Twilio’s privacy practices, please review Twilio’s Privacy Policy. For additional information on how we manage SMS communications, refer to our Terms of Service – SMS Messaging Terms.

6. Cookies, Telemetry, and Tracking

We use cookies, beacons, SDKs, and similar technologies across our website and client portals to support essential functionality, security, performance monitoring, diagnostics, and analytics. These tools help us operate, protect, and improve our online services, and may include providers such as New Relic and other analytics platforms that collect technical and usage data beyond strictly necessary cookies.

These technologies may collect information such as your IP address, general location derived from IP, device and browser identifiers, operating system and version, referring and destination URLs, timestamps, session identifiers, and performance metrics (for example, page load times, resource timings, and Core Web Vitals). They may also capture JavaScript error details, API request metadata, and aggregated click or navigation events. If you are signed in to an authenticated area, certain telemetry may be linked to your account to support troubleshooting and ensure account security.

You can manage or block cookies through your browser settings and, where available, through our on-site cookie controls. Blocking some cookies may affect website functionality or login persistence. If we introduce third-party advertising or retargeting in the future, we will present appropriate consent options and “Do Not Sell or Share My Personal Information” controls in compliance with applicable privacy laws. We use analytics and performance tools solely to understand reliability and user experience; we do not authorize analytics providers to use our telemetry data for their own advertising or profiling purposes.

7. International Users and Data Location

We are a U.S.-based organization, and our Services are primarily directed toward organizations and users within the United States. Our systems and most of our service providers are located in the U.S., and your personal information will be processed and stored there. Privacy and data protection laws in the United States may differ from those in your country or region.

We do not market or position our Services as subject to the data protection regimes of the European Union, the European Economic Area (EEA), or the United Kingdom (GDPR / UK GDPR). If you are located outside the United States and choose to use our Services, you acknowledge and agree that your information will be transferred to, and processed in, the United States under U.S. law. We may, at our discretion, respond to non-U.S. data subject requests as a courtesy; however, we do not represent or commit to full GDPR or UK GDPR compliance unless expressly stated in a separately executed Data Processing Agreement.

Where local laws in your jurisdiction impose specific requirements on your use of our Services, it is your responsibility to ensure that such use is lawful. We reserve the right to decline or discontinue service where providing access would subject Backup Failed Foundation to non-U.S. legal obligations that we have not affirmatively agreed to assume.

8. How We Share Information

We do not sell personal information, and we do not share it for cross-context behavioral advertising or other targeted marketing purposes.

We disclose personal information only in limited circumstances and with appropriate safeguards. Disclosures may occur to trusted service providers under written agreement—such as those supporting our telecommunications, hosting, ticketing, email or SMS delivery, and payment processing functions—who are permitted to use the information solely to perform services on our behalf.

We may also share information with vendors or partners that you explicitly authorize us to coordinate with during service delivery. In addition, we may disclose information when required by law, regulation, or legal process; in response to lawful requests by public authorities; or when necessary to protect our rights, property, personnel, or the safety and security of our users or the public.

In the event of a business transaction such as a merger, reorganization, or other transfer involving Backup Failed Foundation, personal information may be included among the transferred assets, subject to the protections and limitations described in this Notice.

9. Data Security

We maintain administrative, technical, and physical safeguards designed to protect personal information against accidental, unlawful, or unauthorized access, use, loss, or disclosure. Our systems and core services are hosted primarily in Microsoft Azure and other reputable cloud environments that provide built-in encryption, access control, and compliance protections.

Access to systems and data is restricted according to the principle of least privilege. Multi-factor authentication (MFA) is enforced wherever supported, and conditional access policies are used to limit sign-ins based on device health, location, and role. Administrative activities are logged and monitored through Azure and third-party observability tools to help detect unauthorized behavior and maintain system integrity.

We apply encryption in transit and at rest, follow secure credential management practices, and regularly review vendor security documentation for the service providers that support our operations—including Dropsuite, Zoho, Level.io, Hudu, Wave, New Relic, AWS, Twilio, and Resend. Vendors are expected to handle data only as instructed and to implement reasonable safeguards consistent with industry standards.

We maintain an internal incident response plan to guide detection, containment, investigation, and communication in the event of a suspected or confirmed security incident. Should we determine that unauthorized access to personal information within our control has occurred, we will notify affected individuals and entities as required by applicable law and take steps to mitigate potential harm.

Information is retained only as long as necessary to fulfill the purposes described in this Notice or as required by applicable law, regulation, or contractual obligation. When information is no longer needed, we securely delete or anonymize it in accordance with our data retention and disposal practices.

10. Automated Decision-Making and Artificial Intelligence

Backup Failed Foundation (“Backup Failed,” “we,” “us,” or “our”) may utilize limited forms of automated processing, algorithms, or artificial-intelligence (“AI”) technologies to support the operation, security, and efficiency of our Services. Such tools may be developed internally or provided by trusted third-party vendors and may include data analysis, anomaly detection, predictive maintenance, or pattern recognition systems designed to enhance service reliability and incident response.

We do not engage in fully automated decision-making that produces legal or similarly significant effects on individuals without human oversight. Any AI-assisted processes we employ are used to augment human review and decision-making, not to replace it. All final decisions involving clients, partners, or individuals are subject to human validation and accountability.

Our use of AI and algorithmic tools is governed by the same data protection, security, and access-control standards described in this Privacy Notice, including least-privilege access, encryption, and vendor due diligence. We evaluate AI and algorithmic tools prior to deployment to ensure that they align with our mission, applicable law, and internal governance standards. Where feasible, we assess the quality, relevance, and fairness of data used to train or operate such systems and take reasonable measures to mitigate bias or unintended discriminatory outcomes.

To the extent required by applicable law, you may have the right to request information regarding the existence of automated decision-making involving your personal information, to obtain meaningful information about the logic involved, and to request human review of decisions made solely by automated means, if any. Such requests can be made by contacting us at support@backupfailed.com and will be handled in accordance with Section 17 (Data Requests and Verification Process) of this Notice.

We do not use AI or automated profiling for marketing, credit, insurance underwriting, employment eligibility, or any other high-risk or legally consequential determinations. If, in the future, Backup Failed materially changes the nature or scope of its AI or automated processing practices, we will update this Notice and, where required by law, provide additional disclosure or obtain consent prior to such use.

For the avoidance of doubt, references to “artificial intelligence,” “machine learning,” or “automated processing” in this Notice include any computational or statistical systems capable of generating predictions, classifications, or other analytical outputs based on data patterns, whether or not such systems employ adaptive learning models. This provision is intended to satisfy disclosure requirements under U.S. state privacy laws (including the California Consumer Privacy Act, as amended by the CPRA, and similar state frameworks) and to demonstrate adherence to general principles of algorithmic transparency and fairness.

11. Data Retention

We retain personal information only for as long as necessary to deliver Services, maintain security and operational integrity, comply with legal or accounting obligations, and resolve disputes or enforce agreements. Retention periods vary depending on the type of information and the purpose for which it was collected.

For example, client and account records are typically retained for the duration of the relationship plus a reasonable period afterward, and financial and donor records are maintained for at least seven years to comply with IRS and accounting requirements. Support tickets, configuration data, and service documentation may be kept for a limited time following offboarding to preserve context for follow-up or audit purposes. Website and diagnostic logs are retained only for short operational windows.

Backups are maintained on a rolling twelve-month schedule and securely deleted as new backups replace older ones. Communication archives, including email and SMS messages, are preserved as part of our business records for reference and accountability. When information is no longer needed, we delete it from active systems using secure methods consistent with industry standards and applicable law.

12. Federated and Social Logins

We may enable optional sign-in through trusted identity providers such as Microsoft Entra ID, Google, or Facebook to simplify authentication for future client portals or integrated services. When you choose to sign in using one of these providers, we receive only the basic information that provider shares with us—typically your name, email address, and profile image—and use it solely to authenticate access or provide support.

We do not store social login credentials or reuse tokens beyond what is required for secure session management. Your interactions with the external identity provider remain subject to that provider’s privacy policy and account settings. Using a federated or social login is entirely optional and does not grant us access to your broader account activity with those platforms.

13. Your Choices & Controls

You have certain choices and controls regarding how we communicate with you and how your information is used. These options may vary depending on the nature of your interactions with us and the services you use.

Marketing communications: You can unsubscribe from marketing or informational emails at any time by using the “unsubscribe” link included in those messages or by contacting us directly. If we offer SMS or other promotional channels in the future, you will have the ability to opt in or out as required by law.

SMS notifications: To stop receiving service-related text messages, reply STOP to any message. For assistance, reply HELP. Standard message and data rates may apply.

Cookies and tracking technologies: You may manage or disable cookies through your browser settings at any time. Once implemented, our on-site cookie management interface will allow you to exercise granular control over analytics, performance, and similar non-essential cookies. Disabling or blocking cookies may impair certain functions of the website, including authentication, session stability, and preference retention.

Account or information changes: If you have an account or have otherwise provided information to us, you may contact us to request review, correction, or closure of your account. Requests are handled on a case-by-case basis, and some information may be retained as required by law, for recordkeeping, or to protect security and audit integrity.

14. U.S. State Privacy Rights (CA/CO/CT/UT/VA and similar)

Certain U.S. states provide residents with specific privacy rights, such as the ability to access, correct, delete, or obtain a copy of their personal information, and to opt out of its sale, sharing for cross-context behavioral advertising, or use in certain types of automated decision-making. Backup Failed Foundation does not sell personal information or share it for cross-context behavioral advertising.

To exercise a privacy right permitted by your state law, you may contact us at support@backupfailed.com with “Privacy Request” in the subject line, or use our website contact form. We will verify your identity by confirming the request from the same email address or other contact information already on file. Requests submitted through an authorized agent will require verification of both the agent’s authority and the consumer’s identity.

If you disagree with our response to a privacy request, you may contact us again with “Appeal” in the subject line, and we will review and explain the outcome. This process is voluntary and provided as a courtesy to ensure transparency.

Backup Failed Foundation is a small U.S. nonprofit and service provider, not a data broker, ad platform, or large-scale processor of consumer data. While we respect and accommodate applicable privacy rights to the extent required by law, many state-level privacy obligations do not apply to our operations. We nevertheless strive to handle all personal information with the same level of care and respect expected under modern privacy principles.

California Notice at Collection (Summary)

This summary provides an overview of the categories of personal information we collect, the purposes for which we use it, and general retention practices. It is provided to satisfy the notice requirements under California law and does not replace the full Privacy Notice above.

We do not knowingly process children's data for advertising purposes and do not sell or share personal information for cross-context behavioral advertising. If we introduce advertising or retargeting technologies in the future, we will provide a “Do Not Sell or Share My Personal Information” control as required by law.

California “Shine the Light” (CA Civ. Code §1798.83): We do not disclose personal information to third parties for their own direct marketing purposes.

15. Children’s Privacy

Our Services are intended for use by organizations and adults. We do not knowingly collect, maintain, or use personal information from children under 13 years of age, and our Services are not directed to individuals under that age. If we become aware that we have inadvertently collected personal information from a child under 13 without verifiable parental consent, we will promptly delete the information and take steps to prevent further collection.

Consistent with applicable state laws, we also do not knowingly sell or share personal information for cross-context behavioral advertising involving minors under 16 years of age. We do not knowingly permit minors to register for or use our Services in any way that would require submission of personal information beyond limited, business-related contact details provided by adults.

If you believe that a minor has provided personal information to us, please contact support@backupfailed.com. We will review and respond to the request in accordance with applicable child privacy and data protection laws.

16. Do Not Track & Global Privacy Signals

Some browsers and extensions allow users to send a “Do Not Track” (DNT) or similar signal to websites. At this time, no uniform technical standard has been adopted to govern how organizations should respond to such signals, and most websites—including ours—do not currently take action in response to them. Accordingly, we do not interpret or respond to DNT signals.

We recognize, however, that certain privacy laws, including the California Consumer Privacy Act (as amended by the CPRA), refer to “Global Privacy Control” (GPC) signals or equivalent browser-based preferences. If and when legally recognized technical standards for honoring GPC or comparable mechanisms are finalized, Backup Failed Foundation will assess and implement appropriate updates to its systems and this Notice to ensure compliance.

Regardless of browser signals, you may exercise available privacy and opt-out choices directly through the methods described in the Your Choices & Controls and U.S. State Privacy Rights sections of this Notice.

17. Data Requests and Verification Process

Individuals may exercise applicable privacy rights by submitting a request to support@backupfailed.com with “Privacy Request” in the subject line or through our website’s contact form. Depending on your location and the nature of your relationship with Backup Failed Foundation, these rights may include access, correction, deletion, or receipt of a copy of your personal information, as well as the right to opt out of certain processing or disclosures.

We verify the identity of each requestor before processing a request. Verification typically involves confirming that the request originates from the same email address or contact information already associated with our records, or requesting additional information sufficient to reasonably confirm identity. Authorized agents may submit requests on behalf of another individual if they provide documentation demonstrating valid authorization and, where required, the individual’s own verification of identity.

We respond to verified requests within the period required by applicable law—generally within forty-five (45) days—and will notify you if additional time is needed to complete the request. Certain information may be exempt from deletion or disclosure where retention is necessary to comply with legal, security, or contractual obligations. If we decline a request, we will explain the reason, and you may contact us to seek further review or clarification.

Backup Failed Foundation does not discriminate against individuals for exercising privacy rights and will not deny services, charge different rates, or provide a different level of service solely because a privacy right has been exercised.

18. Changes to This Privacy Notice

We reserve the right to modify or update this Privacy Notice at any time to reflect changes in our practices, legal requirements, or the functionality of our Services. When we make updates, we will revise the “Last Updated” date shown at the top of this Notice. All revisions become effective immediately upon posting unless otherwise stated.

If a change materially affects the way we collect, use, or disclose personal information, we will provide additional notice in a manner we consider reasonably appropriate—such as by email, site banner, or in-portal message—so that affected individuals are informed before the change takes effect. We encourage you to review this Notice periodically to remain aware of how we protect your information.

Continued use of our Services following the posting of an updated Privacy Notice constitutes your acknowledgment of the changes and your agreement to the revised terms. The current version of this Notice supersedes all prior versions.

19. Contact

Backup Failed Foundation
Arroyo Grande, CA 93420, United States
Email: support@backupfailed.com
Phone: 805-900-4505

Privacy requests and notices: For privacy requests (access, correction, deletion, opt-out, or other inquiries regarding this Notice), please submit a signed request to support@backupfailed.com. We will process and respond to requests in accordance with applicable law and the verification procedures described in Section 16 (Data Requests and Verification Process) of this Notice.

Governing law and jurisdiction: This Privacy Notice and any dispute arising out of or related to this Notice shall be governed by the laws of the State of California, without regard to conflict of law principles. The state and federal courts located in San Luis Obispo County, California shall have exclusive jurisdiction over any claim arising out of or relating to this Notice.

No contractual rights: This Privacy Notice is intended to provide information about our privacy practices and does not create or confer any contractual rights or obligations. Nothing in this Notice should be construed to limit Backup Failed Foundation’s legal rights or remedies.

Severability: If any provision of this Notice is found to be invalid, illegal, or unenforceable in any respect, the validity, legality, and enforceability of the remaining provisions will not be affected or impaired.