Privacy and Security Policies and Procedures

Professional Exchange Service Corporation (PESC) will never sell its customer lists or nonpublic personal information to any third party. These privacy policies and procedures implement our obligation to protect the “non-public personal information” that we create, receive or maintain on consumers or customers.

PESC respects your right to privacy, and we have always placed a high priority on protecting the personal information that is provided to us. PESC uses personal information for legitimate business purposes only, and our Privacy Promise is to continue to protect your right to privacy.

PESC agrees to maintain the confidentiality of personal consumer information solely for purposes of our Agreements. PESC agrees that all confidential consumer information shall be held in strict confidence, using the same care as is used in handling its own confidential information, and agrees that it will not use such information to its own commercial advantage or in any other manner except in the performance of our Agreements.

Information We May Collect

We collect and use information that is necessary to administer our business and to provide you with services and customer service. We may collect and maintain several types of customer information needed for these purposes:

• Information you provide to us on applications and other forms;
• Information from your transactions with us or our contracted clients;
• Information from industry databases;

The types of information we receive may include addresses, Social Security numbers, industry license numbers, private health information and credit card account numbers. PESC will not share the nonpublic personal information of current or former clients or customers with non-affiliated third parties:

1. No use or disclosure: Our office will not use or disclose non-public personal information except as these Privacy Policies and Procedures or our annual privacy practices notice permit, require or as permitted by law.
2. Medical Information Privacy: Our office will not disclose or share medical or other specified information at any time as defined in CIC Section 791.13(k) without an expressed written consent from the consumer or customer. A consumer or customer may at any time revoke their consent to disclose or share information by written notice. The revocation shall be placed in the consumer's or customer's file and notations made in any electronic records.
3. Exemption to Consent: Our office may disclose or share non-public personal information without express notice or consent in the course of performing a transaction authorized by the consumer or customer or as permitted in CIC Section 791.13.
4. Notice of Privacy Procedures: Our office will provide an initial and annual Privacy Practices Notice to each customer as required by CIC Section 791 and Title 10 California Code of Regulations Sections 2689.1 to 2689.24 and to all consumers before disclosure of any non-public personal information to non-affiliated third parties. We will promptly revise our Privacy Practices Notice when there is a material change to our use or disclosure of non-public personal information, legal duties, consumers’ or customers’ rights or to other privacy practices that render the statements in that notice no longer accurate.
   
   The notices are available upon request.
5. Distribution of Our Notice: Each customer will receive his or her initial privacy practices notice from this office no later than the delivery of service. Each customer will receive a notice annually on a date established by us, which reflects our current privacy practices. This annual privacy notice supercedes all prior initial or annual notices.
6. Minimum Necessary Disclosure: Our office will make reasonable efforts to protect consumer/customer privacy by disclosing or sharing the minimum necessary non-public personal information to accomplish the intended function, transaction, or service.
7. Customer or consumer Rights: Our office will honor customers and consumer’s rights regarding their non-public personal information.
   1. Access: Our office will honor requests in writing to view and copy customer or consumer records that are reasonably identified, reasonably locatable and retrievable. We will, within 30 days of receipt of the request, contact the customer or consumer and inform them of the nature and substance of the recorded information and make arrangements for them to view the information and make copies for them for which we will charge 15¢ per page plus $15.00 per hour for staff time. We will also disclose to the individual the identities of those persons with whom we have shared or disclosed the customers/consumers non-public personal information.
   2. Amendments: Customers or consumers have the right to request an amendment, correction or deletion to their non-public personal information held by us. Our office will, within 30 days of such request, inform the customer or consumer of our decision to amend, correct, or delete or our decision to not amend, correct or delete. If we decide to amend, correct or delete, we will notify the customer or consumer in writing and will additionally notify those persons to whom we shared or disclosed the original information.
      
      If we decide not to make any changes, the customer or consumer has a right to submit in writing a concise statement setting forth what the customer or consumer thinks is the correct, relevant or fair information and why they disagree with our refusal to amend, correct, or delete non-public personal information in their file. Our office will put this statement in the customer’s/consumer’s file. In the future if we share or disclose any non-public personal information from the file, we will also furnish a copy of the customers/consumers request to amend, correct, delete, our letter informing them of our decision and their response.
      
      The rights granted in this section do not extend to information about the customer or consumer that relates to and is collected in connection with or in reasonable anticipation of a claim or civil or criminal proceeding involving them.
8. Privacy Officer: Our office will designate one person to be the privacy officer. He or she will have primary responsibility for privacy and security issues. He or she will also be the contact for all complaints involving privacy or security matters. The designated privacy officer is the President and Chief Executive Officer.
9. Staff Training: Our office will train all members of our workforce on these Privacy Policies and Procedures, as needed and appropriate for them to carry out their functions. All members of our workforce will acknowledge in writing within a reasonable time of employment their receipt and training on these Privacy Policies and Procedures.
10. Safeguarding Information: Information about you is safeguarded in a number of ways. We use transport data encryption and storage password technology for storage of data in a controlled and secure environment, to protect personal information about you. We also employ a variety of physical, electronic and procedural safeguards in areas containing nonpublic personal information and maintain on-site supervision of these areas. Some of the measures taken to ensure the security of information about you include:
    
    Data Safeguards: Our office will develop, implement, annually review and maintain reasonable and appropriate administrative, technical and physical safeguards to ensure the integrity and confidentially of the non-public personal information we hold and maintain.
    1. Physical Access: Our office will monitor and ensure that during normal business hours, no person is unescorted or unmonitored within the office unless they are an employee or a business associate with whom we have a contract that appropriately limits their use and disclosure of non-public personal information held or maintained by this office.
       
       Our office will identify, monitor and control who is authorized to posses and who possesses keys or the necessary codes for securing and entering the office. Upon any termination of employment, keys will be collected and codes changed to maintain the security of the office.
    2. Business Associates: Our office will obtain a written contract from all non-affiliated third parties who will have access to or receive non-public personal information in the course of their duties for us. This contract will provide for appropriate safeguards and limit their use and disclosure of the non-public personal information we share or disclose to them.
    3. Physical Data: Our office will secure all physical data that contains non-public personal information. All files not in use will be filed. No files will be left out of the filing containers overnight. All file containers will be secured when the office is closed or not occupied.
    4. Electronic Data: Our office will provide controls on access to and authentication of persons using electronic data. Our office will install, maintain, and update necessary virus protection, firewall protection, and software updates as needed.
       
       All employees who must have access to electronic data will have their own unique user ID and unique password. These will be controlled and changed periodically by the Privacy Officer as needed for employee terminations, updates, new software, etc.
       
       Our office will ensure that floppy disks, CDs, DVDs, zip drives, hard drives, electronic tapes, off-site storage, and similar items are included in the access and authentication procedures. We will ensure that the intentional destruction of data is done using a secure method.
    5. Employee training: Our office will provide annual training on the Privacy Policies and Procedures for protecting the electronic data or form of non-public personal information we hold or maintain. We will document the time, date, persons in attendance, and subjects covered.
11. Annual Security Assessment: Our office will do an annual Privacy and Security Gap Assessment to ensure these policies and procedures are being performed and working as intended. Our Privacy Officer will initiate the assessment.