[This website should be accessed by a human being with a web browser via https on port 443. If you are attempting to access this system in some other way, these privacy rights do not apply to you. You may be uniquely identified, tracked, and reported to law enforcement in any jurisdiction. Sad, but true. Please review our Terms And Conditions of Use. ]
WHO IS REMNANTEDU?
RemnantEDU is a Sole Proprietorship located in South Carolina, USA operating an eCommerce website to provide educational materials to the public.
Website address: https://remnantedu.org
Mailing address: RemnantEDU P. O. Box 7 Jackson, SC 29831-0007
Phone: (404) 623-4386
Privacy Officer: firstname.lastname@example.org
Customers in the EU must whitelist the address email@example.com which is necessary for the notifications we are required to provide under the GDPR. We are required to be able to contact you regarding your rights, and to obtain your consent, it is not an address we use for advertising email.
HOW DO WE USE YOUR DATA?
We have two classes of visitors to our website, those who browse the site anonymously (visitors), and those who place an order (customers). No individually identifying information is retained on anonymous visitors except for one ephemeral (temporary) log file which is archived weekly, and which may be later used for security or incident analysis.
Visitor fields are limited to IP Address, User-Agent String, Date & Time of visit, and the Resource requested with the resulting http(s) response code. We do not identify a visitor’s Operating System or uniquely identify a visitor by “fingerprinting” their system through browser features or their User-Agent String.
Visitors who place an order have the option of using a “guest checkout” feature which reduces the number of data fields we retain. Normally this information is limited to that which is previously described as pertaining to any visitor and:
- Your Name.
- Your Email Address.
- Your Telephone Number. (If you typed it in a form field.)
- Your Shipping Address.(If you typed it in a form field here.)
- Data fields about your order (Item, Qty, Etc…)
- Your payment transaction ID and Date
- Any notes you may have entered regarding your order.
- Any information you type in any form field on our website may be retained.
This information is retained as needed for our normal operations such as filling orders, looking up payment transaction information, and preparing periodic financial reports.
WHAT IS UP WITH COOKIES?
If you have an account and you log in to this site, we will set a temporary cookie to determine if your browser accepts cookies. This is a session cookie, not a tracking cookie. It contains no personal data and is discarded when you close your browser.
When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the login cookies will be removed.
On occasion, certain features may be tested which automatically set a session cookie, or use the local data storage service of your web browser. This functionality is designed to assist the system in maintaining the state between the website and your web browser. These are not tracking cookies.
EMBEDDED CONTENT FROM OTHER WEBSITES
We make a proactive effort to eliminate or reduce any content delivered by a third party website, although articles on this site occasionally include embedded content (e.g. videos, images, etc…).
ANALYTICS & TRACKING
We analyze the effectiveness of our own in-bound advertising, and conduct quality management analytics directly on our own log files, therefore we do not utilize any third-party analytics software or systems. This is because “big data/click thru ad networks” is not our business model. Our site is a point of sale itself, the sole destination for our book sales. We do not host advertisements from third parties, or participate in affiliate programs.
This is also why do not conduct any form of Website Visitor Tracking, an issue which has become complex to explain in simple terms. You may wish to read the Wikipedia Article about Website Visitor Tracking.
Embedded scripts from social media networks also has adverse effects on your privacy. These networks can track your movements all over the Internet easily, as many sites contain code that notify them when you visit a page. [This is why we don’t use that kind of embedded code. We only provide a direct link to our Social Media accounts.]
For anyone who is concerned about this kind of tracking, more meaningful information can be found by searching the internet with the keywords “Ad Blocking”.
Any “host” (system) that tracks your activity must expose its name, and by host name they can be trivially blocked. There are a variety of tools and methods for this, notable among them is uBlock Origin, which is a broad-spectrum site blocker and is free software under the GNU Public License.
DO WE SHARE YOUR DATA WITH 3RD-PARTIES?
We do not share your data with anyone.
If you choose to use a payment method through which to place an order or make a donation utilizing one of our merchant payment processors, such as by using a credit card or your PayPal account, you will interact with one or more of the payment processors we use. This means you are sharing your data with them directly to pay for products or to give a donation to RemnantEDU.
We utilize CloudFlare’s Domain Name Service and may, according to our needs (but not currently) utilize their network edge-caching and DDOS protection products. This is not data sharing in it’s regular sense, it’s more of a “cloud based application network delivery service” for us as a vendor to you as a customer. This does not give them access to any data you have stored at this website, but may allow them to temporarily decrypt your connection to the website within the confines of their network for network delivery to a location geographically nearer to you.
You can read these third-party privacy policies at the links below.
HOW LONG DO WE RETAIN DATA?
For users that register for an account on our website, we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information. This information is normally retained until a user modifies it or requests that it be deleted.
If you place an order, all personal, shipping, and transaction information is retained for a minimum of 3 years according to the laws of the State of South Carolina, United States of America, or until such time as you request that the records be deleted.
YOUR RIGHTS OVER YOUR DATA
If you have an account on this site and have created orders you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. We are pleased to provide “full delete” to anyone who requests it. A full delete will not include any data we are obliged to keep for administrative, legal, or security purposes, which is likely trivial for your privacy concerns. Usually the items we are required to maintain are things which will identify a financial transaction, which most likely cannot be used to identify you personally.
HOW WE PROTECT YOUR DATA
Protecting your data is a function not only of information and network security, but also staff training, and many other operational issues. We have many procedures to protect your personal data.
DATA CENTER FACILITY
This system is located and operates in a secure data center in Atlanta, Georgia. We have a current Data Protection Addendum (DPA) in place with the facility which informs them of our need to protect your data. The facility also provides physical security (personnel, locks, systems, devices) to prevent access to our systems located within the facility.
Our staff is trained monthly for domestic and international Compliance, the prevention of Social Engineering disclosures, maintenance and disposal of physical (printed) records, and the latest best practices in InfoSec (Information security).
INFORMATION, NETWORK, AND SYSTEM SECURITY
The language of InfoSEC and NetSEC can pose unfamiliar terms and acronyms, but it’s also important to speak accurately. In the the OSI model (ISO 7498-1) our responsibility is primarily found in the Application (7th) Layer, and to a lesser extent in the Presentation (6th) Layer, between which two we find the majority of the Application “Stack”. This is usually the Host Operating System, Kernel, Shells, Tools and Utilities, File Systems, Database Servers, Web Servers, and the Programming language(s) as they are designed to implement business logic, and store and retrieve data.
[This actually leaves the larger responsibility, layer-wise, with the users’ ISP, mobile carrier, network operator (or ISPs network carrier), the operating stack of the user’s device, it’s manufacturer, third-party suppliers to the device manufacturer, its physical security, and the ability of the operator to identify and reject malware, create and maintain good passwords, and avoid Social Engineering and device related attacks. Those layers are as important to security, and thus privacy, as anything we do, which is the reason we point this all out.]
We have many complex procedures with which we secure these elements, but in simple terms, we:
- Take a Proactive/Active Role in system security, and actively monitor logs and servers.
- Keep Operating Systems, Applications, Scripts, Scripting Languages, and Servers are up to date with the latest packages and packages.
- Subscribe to security mailing lists and feeds for all the software we use.
- Maintain automated systems which scan for intrusion attempts.
- Conduct periodic penetration testing.
DATA PROTECTION ADDENDUM
Operational data, that is databases in use on a daily basis for business operations is protected by our internal policies to prevent theft, accidental disclosure, and disclosure caused by fraudulent means.
Operational data is not encrypted, but all archives (data at rest) is encrypted with 256 bit Advanced Encryption Standard (AES) ciphers, and your connection to the website via https (data in motion) is encrpted by RSA 2048 bits, with a variety of TLS protocols. You can examine, test, and review the score of our SSL/TLS certificate at SSL Labs
DATA BREACH PROCEDURES WE HAVE IN PLACE
We have never had a data breach, but info security is no place for hubris. We are committed to responsible disclosure. We operate in a complex legal environment, which includes different notification laws and definitions in all 50 states and districts, Article 33 Of The GDPR, and other laws in untold other locales we do business with.
As laws vary, and to just generally do the right thing, we don’t stipulate any minimum number of records required in a breach to report it an notify. We will fully report and notify on any breach.
As mandated response time tends to be 72 hours, we have defined our maximum response time to 48 hours for full notification. Our response and notification protocols should meet and in almost all cases exceed what is required by law anywhere.
This is who we notify for any breach, and the approximate order in which they are notified:
- Our network security team for further intrusion prevention.
- Our forensic analysis team.
- Merchant gateway notification.
- Law enforcement.
- User notification. (California)
- User notification (All Other Places)
- Public disclosure, press release.
There are conditions which affect the exact order and timing of notification. For California Civil Code under ARTICLE 7. Accounting of Disclosures [1798.25 – 1798.29] (C) states notification
“may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation.”
In this case we would take the path required by law, or that of “least confusion”.
The Notification Itself
The breach notification will provide a brief description of the security breach, a contact for inquiries, and helpful references to individuals regarding identity theft and fraud.
WHAT THIRD PARTIES WE RECEIVE DATA FROM
We do not receive data from third parties. [It’s not our business model. Please read the Section on Analytics and Tracking.]
OUR USE OF AUTOMATED DECISION MAKING
Even after revision, Article 29 of the GDPR retains some uncomfortably unclear terminology related to automated processing and “profiling”. Any automated script could be considered “decision making” and many data points might be construed as “profiling”.
We may use automated scripts or programs with decision trees such as:
if the user has purchased from us before, and has opted in for notifications of upcoming books, then send them an email regarding this new book.
We are just a little bookstore on the internet. The most serious automated process we have sends an email when a new book is ready. We have no ability to affect anyone’s employment, healthcare, gambling problem, or to send them off in a cattle car. We do not believe this type of scripting is against the spirit or letter of these clauses in the GDPR, so at this time we continue conducting business with the EU.