Privacy Policy

IFO4 Inc. is a Delaware non-profit corporation and the controller of personal information processed under this Policy. IFO4 operates a suite of professional-development products for the Financial Operations discipline, including the UNUM cost calculator, IFO4 Social, the IFO4 Community, professional certifications, learning programs, research publications, and events.

This Policy explains your rights and IFO4's obligations under applicable U.S. federal and state privacy laws, including:

• California Consumer Privacy Act, as amended by the California Privacy Rights Act (CCPA/CPRA);
• Virginia Consumer Data Protection Act (VCDPA);
• Colorado Privacy Act (CPA);
• Connecticut Data Privacy Act (CTDPA);
• Utah Consumer Privacy Act (UCPA);
• Texas Data Privacy and Security Act (TDPSA);
• Oregon, Montana, Tennessee, Iowa, Indiana, Delaware, New Jersey, New Hampshire, Minnesota, Maryland, Kentucky, and Rhode Island comprehensive state privacy laws, and other analogous statutes as they become effective;
• Illinois Biometric Information Privacy Act (BIPA), applicable to on-device exam processing;
• Children's Online Privacy Protection Act (COPPA). IFO4 does not knowingly serve anyone under 18;
• Health Insurance Portability and Accountability Act (HIPAA), only where IFO4 is engaged as a Business Associate under a BAA;
• Gramm-Leach-Bliley Act (GLBA) Safeguards Rule, where applicable to financial-services customers;
• Federal Trade Commission Act § 5 prohibitions on unfair and deceptive acts.

The sub-sections below describe the categories of information IFO4 collects, organized by product area. Only information necessary to operate the relevant Service is collected.

IFO4 processes the categories of information above for the following purposes, each tied to a lawful basis recognized under applicable U.S. law:

• Providing the Services (contract). Running the Platform, UNUM, certifications, learning, events, and community features.
• Security and fraud prevention (legitimate interest). Account-lockout, anomaly detection, abuse reporting, law-enforcement response.
• Customer support (contract). Answering questions, honoring appeals, running human review.
• Product improvement and analytics (legitimate interest). Aggregated, privacy-preserving analytics only. IFO4 does not sell personal information.
• Communications (consent + legitimate interest). Transactional emails, event reminders, newsletters you opt in to.
• Legal compliance (legal obligation). Tax, accounting, professional-body reporting, response to valid legal process.

IFO4 shares personal information only in the following limited circumstances:

• Service providers under contract: payment processing (Stripe), cloud hosting (Google Cloud), email delivery (Google Workspace), analytics, monitoring, and fraud prevention. Each provider is contractually bound to process personal information only on IFO4's instructions.
• Other users, by your choice: public profile fields, User Content you post, reactions you give, credentials you display.
• Legal process: in response to valid U.S. subpoenas, court orders, warrants, or equivalent compulsory process. IFO4 may challenge overbroad or improper requests.
• Business transfers: in connection with a merger, acquisition, sale of assets, reorganization, or dissolution, subject to protections in this Policy.

IFO4 does not sell personal information and does not engage in cross-context behavioral advertising.

IFO4 retains personal information only as long as reasonably necessary to provide the Services and to satisfy legal, accounting, and legitimate-business purposes. Typical retention periods include:

• Account and profile data: while your account is active, plus two (2) years after closure.
• Exam records and credential status: seven (7) years for audit and verification.
• Financial records: seven (7) years as required by U.S. tax and accounting standards.
• Support and dispute records: the limitation period of any potentially applicable claim.
• Security logs: twelve (12) months rolling, aggregated and de-identified thereafter.

Depending on your state of residence, you may have the rights listed below. IFO4 honors these rights for all U.S. residents where granted by applicable state law, and in many cases extends them voluntarily to all U.S. users.

• Right to know: what personal information IFO4 has about you and how it is used.
• Right to access: a copy of your personal information in a portable format.
• Right to correct: inaccuracies in your personal information.
• Right to delete: your personal information, subject to legal-retention exceptions.
• Right to opt out: of any sale or cross-context behavioral advertising (which IFO4 does not engage in).
• Right to limit: the use of sensitive personal information (which IFO4 honors even though it does not use sensitive information for unrelated purposes).
• Right to non-discrimination: you will not be treated differently for exercising any of these rights.
• Right to appeal: any denial of a rights request, via privacy@ifo4.org.

Submit requests via privacy@ifo4.org. IFO4 will verify your identity and respond within the timeframe required by applicable law, typically 45 days.

• TLS 1.2+ in transit; AES-256 at rest for sensitive fields.
• Role-based access controls, principle of least privilege, and quarterly access reviews.
• Multi-factor authentication available for all accounts; required for IFO4 staff.
• Automated dependency scanning, secrets scanning, and vulnerability patching.
• Audit logging of privileged actions. Audit log is retained and monitored for anomalies.
• Annual security review. IFO4 will publish its formal Trust Center documentation when available.

If IFO4 determines that a security breach has affected your unencrypted personal information, IFO4 will notify you and relevant authorities consistent with applicable U.S. federal and state breach-notification laws.

IFO4 services are intended exclusively for professionals aged eighteen (18) or older. IFO4 does not knowingly collect, solicit, or process personal information from anyone under 18 and does not direct any Service to children. If IFO4 becomes aware that personal information has been collected from a minor, IFO4 will delete that information promptly and terminate the associated account. If you believe a minor has registered, contact privacy@ifo4.org immediately.

IFO4 uses cookies and similar technologies as described in the IFO4 Cookie Policy (ifo4.org/cookies), which is incorporated into this Privacy Policy by reference. The Cookie Policy describes the categories of cookies IFO4 uses, their purposes, retention, and how you can manage them, including opting out through the Cookie Preferences Center in the ifo4.org footer.

The Services may link to or integrate with third-party websites, platforms, and tools. IFO4 does not control and is not responsible for the privacy practices of third parties. Reviewing the privacy policies of those third parties before providing personal information to them is your responsibility.

California residents may request once per calendar year a list of third parties to whom IFO4 has disclosed personal information for direct-marketing purposes, if any, in the preceding calendar year. As stated above, IFO4 does not share personal information with third parties for their direct-marketing purposes. Requests may be sent to privacy@ifo4.org.

IFO4 may update this Policy from time to time. Material changes will be communicated at least thirty (30) days in advance by email to your registered address and through an in-platform notification. Continued use of the Services after the effective date constitutes acceptance of the updated Policy.

• Privacy questions and requests: privacy@ifo4.org
• Data-rights appeals: privacy@ifo4.org
• Security concerns: security@ifo4.org
• Postal: IFO4 Inc., Delaware, United States