Legal
Privacy Policy
Last updated: January 15, 2026 · Effective: January 15, 2026
Boston Computer Forensics ("BCF", "we", "us") is a Massachusetts-based digital-forensics and cybersecurity firm. This Privacy Policy explains what personal information we collect on https://bostoncomputerforensics.com (the "Site") and in the course of providing professional services, how we use and share it, and the rights you have under the EU General Data Protection Regulation ("GDPR"), the UK GDPR, the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), and other applicable laws.
This policy does not apply to data we process as aservice provider or processor on behalf of a client engagement — that processing is governed by the written services agreement with that client.
1. Information we collect
Information you provide
- Contact details (name, email, phone, organization) from intake forms
- Free-text messages you choose to include
- Employment-application materials, if you apply for a role
Information collected automatically
- HTTP request metadata (IP address, user agent, referrer) processed in memory for security and aggregate analytics
- If you consent to analytics, our self-hosted Umami instance records pageviews with a truncated IP hash that cannot be linked back to you
We do not use cross-site tracking cookies, advertising pixels, Google Analytics, or fingerprinting SDKs on this Site. We do not load third-party tag managers.
2. Purposes and legal bases (GDPR Art. 6)
| Purpose | Legal basis |
|---|---|
| Responding to your inquiry | Art. 6(1)(b) — pre-contractual steps at your request |
| Providing professional services | Art. 6(1)(b) — performance of contract |
| Site security & fraud prevention | Art. 6(1)(f) — legitimate interests |
| Aggregate analytics (consent-gated) | Art. 6(1)(a) — consent |
| Legal and regulatory compliance | Art. 6(1)(c) — legal obligation |
3. How long we keep data
- Intake-form submissions: 24 months (conflict check), then deleted.
- Aggregate analytics: 13 months, then purged.
- Engagement records: per the engagement letter and Massachusetts Rules of Professional Conduct retention requirements (typically 7 years).
4. Who we share information with
BCF does not sell or rent personal information, and we do not "share" it for cross-context behavioral advertising as those terms are defined by the CCPA/CPRA. We disclose personal information only to:
- Service providers bound by written DPAs (email delivery, hosting)
- Professional advisors (counsel, auditors)
- Authorities, when required by law or to protect rights and safety
- A successor entity in connection with a merger or sale of assets
5. International transfers
Our systems are hosted in the United States. Where personal information is transferred from the EEA, UK, or Switzerland, we rely on the European Commission’s Standard Contractual Clauses (2021/914) together with the UK Addendum and, where applicable, the EU-US Data Privacy Framework.
6. Your rights
Depending on where you live, you may have the right to:
- Access the personal information we hold about you (GDPR Art. 15; CCPA §1798.110)
- Correct inaccurate information (GDPR Art. 16; CCPA §1798.106)
- Delete your information (GDPR Art. 17; CCPA §1798.105)
- Receive a portable copy (GDPR Art. 20; CCPA §1798.130)
- Object to processing based on legitimate interests (GDPR Art. 21)
- Withdraw consent at any time (GDPR Art. 7(3))
- Opt out of "sale" or "sharing" of personal information (CCPA/CPRA — see our Do Not Sell or Share page)
- Limit use of sensitive personal information (CPRA §1798.121)
- Not be discriminated against for exercising any of these rights
Submit a request via our data-subject request form or by email to privacy@bostoncomputerforensics.com. We will respond within 30 days (GDPR) or 45 days (CCPA), extendable by an additional 45 days where permitted. We verify identity before responding and will not charge a fee for reasonable requests.
You may authorize an agent to submit a CCPA request on your behalf using a signed permission and government-issued ID. If you are not satisfied with our response, you may lodge a complaint with your local supervisory authority (GDPR) or the California Privacy Protection Agency (CalPPA).
7. Automated browser signals
We honor the Global Privacy Control (GPC) signal as a valid opt-out of sale/sharing under CPRA and as a withdrawal of analytics consent. We also honor legacy Do Not Track (DNT) by suppressing analytics loading for visitors who send it.
8. Children
Our services are directed to businesses and legal professionals. We do not knowingly collect personal information from children under 16 (under 13 in the United States). If you believe a child has provided information, contact privacy@bostoncomputerforensics.com for deletion.
9. Security
We apply administrative, technical, and physical safeguards proportionate to the sensitivity of the data — including TLS 1.2+ in transit, AES-256 at rest, role-based access, hardware MFA for administrators, and annual penetration testing of the Site.
10. Contact
Data Protection Officer
Boston Computer Forensics
470 Atlantic Avenue, 4th Floor
Boston, MA 02210
privacy@bostoncomputerforensics.com
EU Representative (GDPR Art. 27): appointed via the Contracted DPO network — details available on request.
11. Changes
We will post material changes to this policy on this page and, where legally required, notify you directly. The "Last updated" date reflects the current version.