Privacy Policy
Policy overview
What information Sitoo Advisory collects via this website, why we collect it, and how we use and protect it. Written in plain language so you don’t need a lawyer to read it.
1. Who we are
This website is operated by Sitoo, LLC, a Florida limited liability company doing business as Sitoo Advisory (“Sitoo Advisory,” “we,” “us,” “our”). Sitoo Advisory is an independent consulting practice providing cybersecurity, data protection, privacy, GRC, IT audit, and AI governance advisory services to small and mid-market organizations.
For privacy questions, contact: juan.molina@sitooadvisory.com.
2. What information we collect
We only collect information you choose to give us through the forms on this website (Contact, Request a Risk Briefing, RFI Intake). Specifically:
- Contact information — full name, business email, company, job title, optional phone number, optional company website.
- Company context — industry, company size, growth stage.
- Engagement details — service area of interest, problem statement, current state, desired outcome, timeline, urgency, optional budget range.
- Data & regulatory scope — whether regulated or sensitive data is in scope, data type categories (PII / PHI / PCI / SPI / employee / customer / vendor / unknown), and compliance drivers (GDPR, CCPA/CPRA, HIPAA, PCI DSS, SOC 2, ISO 27001, NIST CSF, AI governance, vendor risk, cyber insurance).
- Contact preferences — preferred contact method and optional availability.
- Consent records — the consent and privacy acknowledgment checkboxes you select.
We do not set advertising cookies, tracking pixels, or behavioral analytics on this site. We do not buy or sell personal information. If we add basic operational analytics later, this policy will be updated and disclosed.
3. Why we collect it (purpose & lawful basis)
We use the information you submit for the following purposes only:
- To respond to your inquiry, schedule a briefing, or evaluate engagement fit.
- To prepare a written outline of how Sitoo Advisory would approach the engagement.
- To maintain reasonable business records of inquiries and proposals.
- To comply with applicable legal, regulatory, or professional obligations.
Where GDPR or UK GDPR applies, the lawful bases are consent (Art. 6(1)(a)) for using your contact details to respond, and legitimate interests (Art. 6(1)(f)) for evaluating prospective engagements and maintaining business records, balanced against your rights as a data subject.
4. Data minimization
We ask for the smallest set of information needed to determine fit and respond. Optional fields are clearly marked. We do not require the disclosure of confidential, privileged, regulated, or highly sensitive information at the inquiry stage — and we explicitly ask that you not submit such information through the website.
5. How we use it
Information you submit is reviewed by Juan Molina, Principal Advisor at Sitoo Advisory, for the purposes set out above. We may classify the inquiry internally (service area, urgency, data sensitivity, compliance driver) so we can prioritize and route the response. We do not share internal classifications with you in robotic form — we use them only to inform how and when we follow up.
6. Who we share it with
We do not sell or rent your information. We do not share it with marketing partners. We may share it only:
- With service providers that operate the website, form intake, email, or scheduling infrastructure used to respond to you, under written data-processing terms.
- With professional advisors (e.g., legal counsel, accountants) where strictly necessary and under confidentiality.
- Where required by law, valid legal process, or to protect the rights, property, or safety of Sitoo Advisory, you, or others.
7. Retention
We retain inquiry information for as long as it serves the purposes set out in Section 3, and then for the additional period required to meet legal, tax, or professional obligations. The defaults are:
- Inquiries that result in an engagement — retained for the duration of the engagement and a defensible period thereafter to satisfy record-keeping obligations (typically up to seven years from the close of the engagement, aligned with U.S. tax and professional-services record-retention norms).
- Inquiries that do not result in an engagement — retained for up to four years from your last interaction with us, calibrated to applicable statutes of limitations (Florida’s general negligence limitations period is four years) and to allow for follow-up cycles and related regulatory inquiries.
- Consent records (the checkboxes you select when submitting a form) — retained for at least the period the underlying personal information is retained, and longer where required to demonstrate compliance with applicable laws (e.g., GDPR Art. 7(1) and Art. 30, CCPA/CPRA record-keeping rules).
- Legal hold — where Sitoo Advisory becomes aware of pending or reasonably anticipated litigation, investigation, regulatory inquiry, or governmental request, affected information is preserved for the duration of the matter regardless of the periods above.
When a retention period ends and no legal hold applies, we delete or anonymize the information. You may also request earlier deletion under the rights described in Section 9; we will honor the request unless a legal, regulatory, or professional obligation requires continued retention, in which case we will explain the basis for continuing to hold the data.
8. Security safeguards
Sitoo Advisory is an independent practice in its early stage. As of this policy date, the practical safeguards in operation are described below. Formal written policies, sub-processor data-processing agreements, and other audit-ready documentation are being built out as the practice scales and engagement volume justifies the overhead. This section will be updated to reflect that progression.
What is in place today:
- Technical — encryption in transit on the website (TLS 1.2 minimum, enforced by the hosting CDN); encrypted endpoint storage on operational devices; multi-factor authentication on operational accounts; secure password management with no shared credentials; current operating-system and software patching.
- Operational practices — inquiry review conducted under engagement confidentiality; data-minimization at intake (Section 4); use of established platform providers for website hosting and form handling, which provide their own logging and security postures.
- Incident response — if a security incident affecting submitted information were to occur, Sitoo Advisory would notify affected individuals and supervisory authorities where applicable law requires, and would describe the incident and remediation in writing.
What is being built out as the practice grows:
- Written information-security and acceptable-use policies appropriate to the practice.
- A maintained sub-processor inventory with attestations on file and written data-processing terms where applicable law requires.
- A periodic review schedule aligned with the retention rules in Section 7.
- A documented incident-response runbook beyond the practice described above.
No system is perfectly secure, and the above describes the practices in place rather than a guarantee of any specific outcome. You can help reduce risk by respecting the “do not submit confidential, privileged, regulated, or highly sensitive information” notice at the top of this policy, and by exchanging sensitive material only under a signed engagement letter and the secure channels established for that engagement.
9. Your rights
Depending on where you live, you may have rights including: the right to access, correct, delete, or port your personal information; the right to object to or restrict certain processing; the right to withdraw consent; and the right to lodge a complaint with a supervisory authority. To exercise any of these rights, email juan.molina@sitooadvisory.com. We will respond within applicable legal deadlines.
If you are in the EU/UK, you may also lodge a complaint with your local data protection authority. If you are a California resident, you have rights under the CCPA/CPRA including the right to know, delete, correct, and opt out of sale or sharing (we do not sell or share).
10. International transfers
Sitoo Advisory is based in the United States. If you submit information from outside the United States, you understand that your information will be processed in the United States. Where required, we rely on appropriate safeguards (e.g., Standard Contractual Clauses) for international transfers.
11. Children
This website is intended for business inquiries. We do not knowingly collect personal information from children under 16. If you believe a child has submitted information, contact us and we will delete it.
12. Cookies & analytics
This website does not currently set marketing cookies, advertising cookies, or third-party tracking pixels. The site uses standard browser features and a Google Fonts stylesheet for typography. If this changes, this policy will be updated.
13. Changes to this policy
We may update this policy from time to time. The “Effective date” and “Last updated” values at the top of this page reflect the most recent revision. Material changes will be noted clearly.
14. No client relationship
Submitting a form on this website does not create a client, advisory, attorney–client, or fiduciary relationship between you and Sitoo Advisory. Professional services are subject to a separate, written engagement agreement. See the Terms page for additional disclaimers.
15. Contact
Privacy questions, requests, and complaints:
- Email: juan.molina@sitooadvisory.com
- Subject line: Privacy Inquiry — [your topic]