Menu

Privacy Policy

Spending Plans

Goal Setting

Guidance

Tax Efficiency

Retirement

Asset Management
`

Estates

Insurance

CLIENT PRIVACY

January 1, 2024

 

The SEC’s Regulation S-P (Privacy of Consumer Financial Information), which was adopted to comply with Section 504 of the Gramm-Leach-Bliley Act, requires the Company to disclose to clients its policies and procedures regarding the use and safekeeping of client records and information. For the purposes of this section and unless otherwise specified, the term “client” refers to the Company’s customers, clients, former clients, and prospective clients.
 

Definitions

Non-public information means personally identifiable financial information and any list, description, or grouping that is derived from personally identifiable financial information.

 

Personally identifiable financial information is defined to include three categories of information:

  • Information Supplied by client. Any information that is provided by a client or prospective client to the Company in order to obtain a financial product or service. This would include information or material given to the Company when entering into an investment advisory agreement.
  • Information Resulting from Transaction. Any information that results from a transaction with the client or any services performed for the client. This category would include information about account balances, securities positions, or financial products purchased or sold through a broker/dealer.
  • Information Obtained in Providing Products or Services. Any information obtained by the Company from a consumer report or other outside source which is used by the Company to verify information that a client or prospective client has given on an application for advisory services.

Consumer report information means any record about an individual, whether in paper, electronic or other form that is a consumer report or is derived from a consumer report. Consumer report information also means a compilation of such records. Consumer report information does not include information that does not identify individuals, such as aggregate information or blind data.

 

Information is collected from clients at the inception of their accounts and occasionally thereafter, primarily to determine accounts’ investment objectives and financial goals and to assist in providing clients with requested services.

 

While the Company strives to keep client information up to date, clients are requested to monitor any information provided to them for errors, and to provide accurate updated information.

 

Additionally, the SEC has adopted amendments to Rule 30 under Regulation S-P, which require financial institutions to adopt written policies and procedures to properly dispose of sensitive consumer information. The amendments are designed to protect consumers against the risks associated with unauthorized access to information and mitigate the possibility of fraud and related crimes, including identity theft.

 

Requirements

Under Regulation S-P, the Company is required to:

  1.  Adopt policies and procedures to safeguard client information;
  2. Provide an initial Privacy Notice to all clients;
  3. Send an updated Privacy Notice if there is a material change in the Company’s collection, sharing, or security practices or send annually if the Company shares with third parties outside the legal exceptions.
    Note: Some states require annual delivery regardless of either of the foregoing. The CCO will determine whether annual delivery is required.
  4. Provide an opt-out notice if the Company shares information with third-party non-affiliates.

Regulation S-P requires disclosure of the types of nonpublic personal information the Company collects and whether it shares information with affiliates or non-affiliates. Specifically, the Company’s privacy notices must contain the information listed below, unless the disclosure does not apply to the Company’s practices at which time the notice can be silent:

  1. Categories of nonpublic information collected;
  2. Categories of nonpublic personal information disclosed, if applicable;
  3. Categories of affiliates and non-affiliated third parties to whom information is disclosed; and
  4. Categories of nonpublic personal information disclosed about former clients and the categories to whom the information is disclosed.

 

Do not Share Policy

The Company has a “do not share” policy. The Company does not disclose non-public personal information to non- affiliated third parties, unless an exception exists, as described below. Since the Company currently operates under a “do not share” policy, it does not need to provide the right for its clients to opt out of sharing with non-affiliated third parties, as long as such entities are exempted as described below. If the Company’s information sharing practices change in the future, the Company will implement opt out policies and procedures, and make appropriate disclosures to its clients.
 

Types of Permitted Disclosures – The Exceptions

In certain circumstances, Regulation S-P permits the Company to share non-public personal information about its clients with non-affiliated third parties without providing an opportunity for those individuals to opt out. These circumstances include sharing information with a non-affiliate (1) as necessary to effect, administer, or enforce a transaction that a client requests or authorizes; (2) in connection with processing or servicing a financial product or a service a client authorizes; and (3) in connection with maintaining or servicing a client account with the Company.

 

The Company’s Service Providers

From time to time, the Company may have relationships with non-affiliated third parties (such as attorneys, auditors, accountants, brokers, custodians, and other consultants), who, in the ordinary course of providing their services to us, may require access to information containing non-public information. These third-party service providers are necessary for us to provide our investment advisory services. When the Company is not comfortable that service providers (e.g., attorneys, auditors, and other financial institutions) are already bound by duties of confidentiality, the Company requires assurances from those service providers that they will maintain the confidentiality of non- public information they obtain from or through the Company. In addition, the Company selects and retains service providers that it believes are capable of maintaining appropriate safeguards for non-public information, and the Company will require agreements from its service providers that they will implement and maintain such safeguards.
 

Processing and Servicing Transactions

The Company may also share information when it is necessary to effect, administer, or enforce a transaction requested or authorized by clients. In this context, “necessary to effect, administer, or enforce a transaction” includes what is required or is a usual, appropriate, or acceptable method:

  1. To carry out the transaction or the product or service business of which the transaction is a part, and record, service, or maintain the client’s account in the ordinary course of providing the financial service or financial product;
  2. To administer or service benefits or claims relating to the transaction or the product or service of which it is a part;
  3. To provide a confirmation, statement, or other record of the transaction, or information on the status or value of the financial service or financial product to the client or the client’s agent or broker.

 

Sharing as Permitted or Required by Law

The Company may disclose information to non-affiliated third parties as required or allowed by law. For example, this may include disclosures in connection with a subpoena or similar legal process, a fraud investigation, recording of deeds of trust and mortgages in public records, or an audit or examination.
 

Internal Procedures

The CCO will consider the level of risk that client information may be misused, altered, stolen, or destroyed, and maintain physical, electronic, and procedural safeguards that comply with federal standards to guard each client’s personal financial information. The safeguards will:

  1. Ensure the security and confidentiality of client records and information;
  2. Protect against any anticipated threats or hazards to the security or integrity of client records and information; and
  3. Protect against unauthorized access to or use of client records or information that could result in substantial harm or inconvenience to any client.

The CCO will ensure that the following safeguards are maintained:

  1. Hard copies of client personal and non-personal financial information including information contained on suitability form will be maintained in the Company’s files, and will be secured (locked) after normal business hours;
  2. Electronic access to client personal financial information will be restricted to the client’s IAR, the CCO and others the CCO determines have ‘business need to know’ access; and
  3. All Associated Persons will be informed of the Company's delivery procedures, security safeguards and destruction/disposal procedures.

 

Delivery Procedures

Initial Privacy Notice Delivery

Each client will be provided with a copy of the Privacy Notice upon opening his/her account. The client is required to acknowledge receipt of the privacy notice in writing, and the acknowledgment will be maintained in the client’s file. The privacy notice may be included with the Form ADV brochure documents and acknowledgement of receipt may be included in the written agreement for services/advisory contract.
 

Revised Privacy Notice

Each client will be promptly provided with a copy of the Company’s Privacy Notice if there is a change in the Company’s collection, sharing, or security practices or a copy will be provided at least annually for clients in certain state where required or where the Company shares information with third parties outside the legal exceptions. In all cases, delivery of the privacy notice will be documented in the Company’s records and maintained for a period of at least five years as described in the books and records section of this manual.

 

Information Security and Privacy

The Company shall establish, implement, update, and enforce written physical security and cybersecurity policies and procedures reasonably designed to ensure the confidentiality, integrity, and availability of physical and electronic records and information. The policies and procedures shall be tailored to the Company’s business model, taking into account the size of the firm, type of services provided, and the number of locations of the Company

The physical security and cybersecurity policies and procedures shall:

  1. Protect against reasonably anticipated threats or hazards to the security or integrity of client records and information;
  2. Ensure that the Company safeguards confidential client records and information; and
  3. Protect any records and information the release of which could result in harm or inconvenience to any client.

The physical security and cybersecurity policies and procedures shall cover at least five functions:

  1. The organizational understanding to manage information security risk to systems, assets, data, and capabilities;
  2. The appropriate safeguards to ensure delivery of critical infrastructure services;
  3. The appropriate activities to identify the occurrence of an information security event;
  4. The appropriate activities to take action regarding a detected information security event; and
  5. The appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to an information security event.

The Company shall review, no less frequently than annually, and modify, as needed, these policies and procedures to ensure the adequacy of the security measures and the effectiveness of their implementation.
 
The Company shall deliver upon its engagement by a client, and on an annual basis thereafter, a privacy policy to each client that is reasonably designed to aid in the client’s understanding of how the Company collects and shares, to the extent permitted by state and federal law, nonpublic personal information.  The Company shall promptly update and deliver to each client an amended privacy policy if any of the information in the policy becomes inaccurate.

 

Written Information Security Program

The Company strives to: (a) ensure the security and confidentiality of current and former client records and information; (b) protect against any anticipated threats or hazards to the security or integrity of current and former client records and information; and (c) protect against unauthorized access to or use of current and former client records and information that could result in substantial harm or inconvenience to any current and former client. Accordingly, the following procedures will be followed:
 
Confidentiality. Associated Persons shall maintain the confidentiality of information acquired in connection with their employment with the Company, with particular care taken regarding non-public personal information. Associated Persons shall not disclose non-public personal information, except to persons who have a bona-fide business need to know the information in order to serve the business purposes of the Company and/or clients. The Company does not disclose, and no Associated Person may disclose, any non-public personal information about a client or former client other than in accordance with these procedures.
 
Information Systems. The Company has established and maintains its information systems, including hardware, software, and network components and design, in order to protect and preserve non-public personal information.
 
Passwords and Access. Associated Persons use passwords for computer access, as well as for access to specific programs and files. Non-public personal information shall be maintained, to the extent possible, in computer files that are protected by means of a password system secured against unauthorized access. Access specific Company databases and files shall be given only to Associated Persons who have a bona-fide business need to access such information. Passwords shall be kept confidential and shall not be shared except as necessary to achieve such business purpose. User identifications and passwords shall not be stored on computers without access controls, written down, or stored in locations where unauthorized persons may discover them. Passwords shall be changed if there is reason to believe passwords have been compromised. All access and permissions for terminated Associated Persons shall be removed from the network system promptly upon notification of the termination. To avoid unauthorized access, Associated Persons shall close out programs and lock their terminals when they leave the office for an extended period of time and overnight. Terminals shall be locked when not in use during the day and laptops shall be secured when leaving the Company premises. Confidentiality shall be maintained when accessing the Company network remotely through the implementation of appropriate firewalls and encrypted transmissions.
 
System Failures. The Company will maintain appropriate programs and controls (which may include anti-virus protection and firewalls) to detect, prevent and respond to attacks, intrusions or other systems failures.
 
Electronic Mail. As a rule, Associated Persons shall treat e-mail in the same manner as other written communications. However, Associated Persons shall assume that e-mail sent from the Company computers is not secure and shall avoid sending e-mails that include non-public personal information to the extent practicable. E-mails that contain non-public personal information (whether sent within or outside the Company) shall have the smallest possible distribution in light of the nature of the request made.
 
Disposal. Electronic media, on which non-public personal information is stored, shall be formatted and restored to initial settings prior to any sale, donation, or transfer of such equipment.
 
Documents. Associated Persons shall avoid placing documents containing non-public personal information in office areas where they could be read by unauthorized persons, such as in photocopying areas or conference rooms. Documents that are being printed, copied, or faxed shall be attended to by appropriate Associated Persons. Documents containing non-public personal information, which are sent by mail, courier, messenger or fax, shall be handled with appropriate care. Associated Persons may only remove documents containing non-public personal information from the premises for bona-fide work purposes. Any non-public personal information that is removed from the premises must be handled with appropriate care and returned to the premises as soon as practicable.
 
Electronic Documents. Unless specifically authorized by the CCO in writing, Associated Persons are prohibited from maintaining any electronic document that includes non-public personal client information on their personal computers and mobile electronic devices (smart phones, tablets, wearable computers, etc.).
 
Personal Identification Numbers (“PINs”). In some cases, the Company maintains access to private account information that enables us to gain access to client accounts for the purposes of monitoring such accounts. Such information may include PINs and passwords provided by clients or brokers that enable on-line access. Such information is found in the secure database of the company and/or in the clients’ physical files. To access the database, authorized Associated Persons of the Company must use their assigned password to gain entry each time. The physical files are to be kept organized and the office locked when not in use. Associated Persons agree that they are obligated to tightly monitor this information at all times and use it only to effect the management of the Company’s strategies in the account. Upon termination of advisory services, all electronic PINs and passwords maintained in client files will be destroyed.
 
Discussions. Associated Persons shall avoid discussing non-public personal information with, or in the presence of, persons who have no need to know the information. Associated Persons shall not discuss non-public personal information in public locations, such as elevators, hallways, public transportation, or restaurants.
 
Access to Offices and Files. Access to offices, files or other areas where non-public personal information may be discussed or maintained is limited, and Associated Persons shall enter such locations for valid business purposes only. Meetings with clients shall take place in conference rooms or other locations where non-public personal information will not be generally available or audible to others. Visitors shall generally not be allowed in the office unattended.
 
Old Information. Client information that, at the sole discretion of the CCO, is no longer required to be maintained shall be destroyed and disposed of in a manner approved by the CCO.

 

Disposal of Client Information and Records

Every investment adviser that maintains or otherwise possesses private client information for a business purpose must properly dispose of the information by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal.
 
Disposal means the discarding or abandonment of such information; or the sale, donation, or transfer of any medium, including computer equipment, on which such information is stored.
 
Based on what is appropriate for the Company’s size and the complexity of its operations, the Company has
established the following disposal measures:

  1. Records containing client information must be shredded, burned or pulverized so that the information
    cannot practicably be read or reconstructed.
  2. Electronic media containing client information must be erased or destroyed in a manner so that the
    information cannot practicably be read or reconstructed;
  3. The Company may enter into a contract with a third party engaged in the business of record
    destruction to dispose of private client information. As part of its due diligence the Company will take
    reasonable steps to select and retain such service provider that is capable of, and is contractually
    obligated to, properly dispose of the information.

In this context, due diligence might include reviewing the disposal company’s operations, obtaining information about the disposal company from several references or other reliable sources, signing a non disclosure agreement with the disposal company, requiring that the disposal company be certified by a recognized trade association or similar third party, reviewing and evaluating the disposal company’s information security policies or procedures, or taking other appropriate measures to determine the competency and integrity of the potential disposal company.

 

Managing a Privacy Breach

An Associated Person must immediately notify the CCO if he or she becomes aware of an actual or suspected privacy breach, including any improper disclosure of client non-public personal information and/or of the Company’s proprietary information. As appropriate, the CCO will:

  • To the extent possible, identify the information that was disclosed and the improper recipients;
  •  To the extent possible, categorize the incident based on sensitivity of information involved and operational impact;
  • Take actions necessary to prevent further improper disclosures;
  • Take actions necessary to reduce the potential harm from improper disclosures that have already occurred;
  • Discuss the issue with counsel and evaluate individual state reporting requirements;
  • Contact regulatory authorities and/or law enforcement officials, where required;
  • Notify affected clients, where required;
  • Collect, prepare, and retain documentation associated with the breach and the Company’s responses, including post-incident review of events and actions taken, if any; and
  • Evaluate the Company’s existing privacy protection policies and procedures in light of the breach and will make any needed changes accordingly.

 

Training

The Company will provide guidance and periodic training to Associated Persons relating to information security risks and responsibilities. The Company will retain documentation of the agenda of those training sessions and the topics covered. The Company will also retain a dated list of the Associated Persons who received such training.