California Consumer Privacy Act


This PRIVACY NOTICE FOR CALIFORNIA RESIDENTS supplements the information contained in the Bitsy Privacy Policy and our subsidiaries (collectively, “we,” “us,” or “our”) and applies solely to visitors, users, and others who reside in the State of California (“consumers” or “you”). We adopt this notice to comply with the California Consumer Privacy Act of 2018 (“CCPA”) and other California privacy laws. Any terms defined in the CCPA have the same meaning when used in this notice.

Under California Civil Code Section 1798.83 (the Shine the Light” law), California residents who provide personal information in obtaining products or services from Bitsy are entitled to request and obtain from us once per calendar year information about the customer information about them that we have shared, if any, with other businesses for their own direct marketing uses. If applicable, this information would include the categories of customer information and the names and addresses of those businesses with which we shared customer information for the immediately prior calendar year (e.g., requests made in 2020 will receive information regarding 2019 sharing activities). If you are a California resident and would like a copy of this information, please submit a written request to:



Email: [email protected] with the subject line of “CCPA Request”

Address:  800 S. Gay St., STE 1100 ATTN: Bitsy Advisor, Knoxville, TN 37929


Bitsy is a cloud SaaS platform that is leveraged by multiple companies. Bitsy can only exercise your data rights for the data under its direct control. If you want to exercise your CCPA rights, but your data is controlled by another company that is served by Bitsy, you will need to contact them directly, as Bitsy does not control this data. Bitsy does NOT sell your data to third parties.

Information We Collect

Learn more →


A real name, alias, postal address, firm name, online identifier, unique personal identifier, internet protocol address, email address, or other similar identifiers.

Collected: YES


A name, signature, physical characteristics or description, address, telephone number, education, employment, employment history. Some personal information included in this category may overlap with other categories.

Collected: YES

Social Security number, driver’s license number, passport number.

Collected: NO


Under California or Federal Law:

Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information).

Collected: NO 


Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.

Collected: NO


Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data.

Collected: NO


Browsing history, search history, information on a consumer’s interaction with a website, application, or advertisement.

Collected: NO 


A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name or other similar identifiers.

Collected: YES

Social Security number, driver’s license number, passport number.

Collected: NO


Physical location or movements.

Collected: NO


Audio, electronic, visual, thermal, olfactory, or similar information.

Collected: NO


Current or past job history or performance evaluations.

Collected: YES 


Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)).

Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records.

Collected: NO 


Profile reflecting a person’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

Collected: NO 

Personal information does not include:

  • Publicly available information from government records.
  • De-identified or aggregated consumer information.
  • Information excluded from the CCPA’s scope, such as:

  1. Health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data;
  2. Personal information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FRCA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver’s Privacy Protection Act of 1994.

We obtain the categories of personal information listed above from the following categories of sources:

  • Directly from our clients or their agents. For example, from the email content from sales people.
  • Indirectly from our clients or their agents. For example, through information we collect from our clients in the course of providing services to them.
  • Directly and indirectly from activity on our website ( For example, from submissions through our website portal or website usage details collected automatically.
  • From third-parties that interact with us in connection with the services we perform. For example, from customers that inform of new workflows when launching new products and services.

Use of Personal Information

We may use or disclose the personal information we collect for one or more of the following business purposes:

We will not collect additional categories of personal information or use the personal information we collected for materially different, unrelated, or incompatible purposes without providing you notice.

Sharing of Personal Information

We may disclose your personal information to a third party for a business purpose. When we disclose personal information for a business purpose, we enter a contract that describes the purpose and requires the recipient to both keep that personal information confidential and not use it for any purpose except performing the contract.

       We have NOT sold any personal information in the preceding (12) months

Your California Rights and Choices

The CCPA provides consumers (California residents) with specific rights regarding their personal information. This section describes your CCPA rights and explains how to exercise those rights.

Access to Specific Information and Data Portability Rights

You have the right to request that we disclose certain information to you about our collection and use of your personal information over the past 12 months. Once we receive and confirm your verifiable consumer request, we will disclose to you:

  • The categories of personal information we collected about you.
  • The categories of sources for the personal information we collected about you.
  • Our business or commercial purpose for collecting or selling that personal information.
  • The categories of third parties with whom we share that personal information.
  • The specific pieces of personal information we collected about you (also called a data portability request).
  • If we sold or disclosed your personal information for a business purpose, two separate lists disclosing:
    • sales, identifying the personal information categories that each category of recipient purchased; and
    • disclosures for a business purpose, identifying the personal information categories that each category of recipient obtained.

Deletion Request Rights

You have the right to request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request, we will delete (and direct our service providers to delete) your personal information from our records, unless an exception applies.


We may deny your deletion request if retaining the information is necessary for us or our service providers to:


  • Complete the transaction for which we collected the personal information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you.
  • Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
  • Debug products to identify and repair errors that impair existing intended functionality.
  • Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law.
  • Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 seq.).
  • Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement, if you previously provided informed consent.
  • Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us.
    Comply with a legal obligation.
  • Make other internal and lawful uses of that information that are compatible with the context in which you provided it.

Exercising Access, Data Portability, and Deletion Rights

To exercise the access, data portability, and deletion rights described above, please submit a verifiable consumer request to:

Emailing us at [email protected] with the subject line of “CCPA Request”

Only you or a person registered with the California Secretary of State that you authorize to act on your behalf, may make a verifiable consumer request related to your personal information. You may also make a verifiable consumer request on behalf of your minor child.

You may only make a verifiable consumer request for access or data portability twice within a 12-month period. The verifiable consumer request must:

  • Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative.
  • Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you. Making a verifiable consumer request does not require you to create an account with us. We will only use personal information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request.


Response Timing and Format

We endeavor to respond to a verifiable consumer request within 45 days of its receipt. If we require more time (up to 90 days), we will inform you of the reason and extension period in writing. If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option. Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request’s receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.

We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.


We will not discriminate against you for exercising any of your CCPA rights. Unless permitted by the CCPA, we will not:


  1. Deny you goods or services.
  2. To provide you with information, products or services that you request from us.
  3. Provide you a different level or quality of goods or services.
  4. Suggest that you may receive a different level or quality of goods or services.

Changes to our Privacy Notice

We reserve the right to amend this privacy notice at our discretion and at any time. When we make changes to this privacy notice, we will notify you by email or through a notice on our website homepage.

Contact Information

If you have any questions or comments about this notice, our Privacy Policy and/or Privacy Statement, the ways in which we collect and use your personal information, your choices and rights regarding such use, or wish to exercise your rights under California law, please do not hesitate to contact us at:


Email: [email protected] with the subject line of “CCPA Request”

Address:  800 S. Gay St., STE 1100 ATTN: Bitsy Advisor, Knoxville, TN 37929


Last modified: June 24, 2021

See why 800+ Advisors love Bitsy

© Bitsy Advisor 2021 All Rights Reserved

How can we help?

15 + 4 =

Compliance Checklist

Disclosure Delivery. Proof of Delivery.

You can deliver disclosures at any time during the client acquisition process.  Disclosure documents can attach to any questionnaire you build, be sent with contracts or automatically upload to your client's dashboard, for example.  This is completely your preference.

Proof of delivery happens within an admin's and an advisor's dashboard, with a timestamp of delivery for compliance adherance.

Platform Updates and Enrollment Audit Line Items.

You get world-class RIA attorneys continually keeping you up-to-date and in-line with your state and national compliance regualtions.  You can even get discounted access to their time, should you need it.

Bitsy automatically tracks and timestamps client enrollment steps to ensure you have what you need during audit.  You can easily download and send as littls as 1 client contract to your auditor, or mass download all client contracts and email via zip file to said auditor.  It's quick and easy.

Client Information and Record Retention Requirements.

Our compliance staff keeps us (and you) up to date on such requirements, and removal can only happen upon request to our support staff so that advisors can not remove manually. 

If you should discontinue your membership with Bitsy, we make it easy for you to transfer all of your client records and documents.  However, you only get 30 days to do so before we email all such records and automatically close your account.

We are NOT going to hold all of your electronic records for 5 years.

GDPR Compliance

Individual Data

Lawful, fair and transparent data processing in relation to individuals:

Bitsy’s onboarding module only collects data required by law to enroll new clients.

Data Collection

Specified, explicit and legitimate purpose for data collection:

Bitsy’s onboarding and other custom modules clearly identify required data from prospets and clients.

We also make it easy to completely purge data from Bitsy, simply reach out and we’ll do it fo you IF you meet guidelines for legal disposal AND you are an approved compliance officer/firm admin with express permission to complete such request.

Relevant Data

Relevant data, limited to only what is necessary in relation to it’s purpose:

Bitsy’s onboarding module ONLY collects relevant information to execute a compliant client enrollment.  We allow your prospects and clients to electronically sign enrollment documents, proving consent for data collected.

Personal Data Retention

Personal data should be kept for no longer than is necessary for proper subject identification:

You will be eligible to remove all collected data in regards to one or multiple client(s), when storing of such data becomes irrelevant.  Bitsy also creates a trail of all changes made by or on behalf of prospects and clients, for your security.

Again, you MUST be an approved person listed in the "Data Collection" tab to be eligible for data removal requests. 

Please also refer to the "Client Information and Record Retention Requirements" tab held within the "Compliance Checklist" section for an explanation of how we safeguard client information, and our safe removal protocols held therein.

Data Accuracy

Personal data should be accurate and up to date, where necessary:

Clients agree within Bitsy’s modules to provide you with clear and accurate data.  It is their responsibility to abstain from delivering false information.

Data Security

Personal data should be processed securely; furthermore, in a manner that is appropriate to the sensitivity of such data.

Bitsy provides a high level of data encryption to all members, ensuring that all customer information is perpetually stored in a secured database. 

We utilize state-of-the-art hacker prevention protocol to prevent access to our network.  We continually update our anti-virus and malware prevention systems to keep you, your prospects and your clients safe.


Every transaction between an advisor/advisory firm and Bitsy is secure. We only accept payments through the following methods:

Check or Wire


Bitsy Network


Rest easy knowing Bitsy operates from a 'security first' mindset.


Credible, third-party vendors ensure high data security.  We outsource this function to the best providers who make it their business to keep you and your clientele safe.


Regular cyber risk assessments protect you at all times.

Learn more →


Disaster Recovery

Our plan is built to prevent, detect and correct to ensure you and your clientele have the best experience possible.


Incident Response

       Annual testing of this plan

       Response within 1 hour

       Continual training in protocol

       24/7 file-integrity monitoring

       Perpetual plan updates


If you’d like to see a copy of our insurance coverages that keep us, you and your clients safe, please submit a written request to:


Email: [email protected] with the subject line of "Coverage Request"

Address:  800 S. Gay St., STE 1100 ATTN: Bitsy Advisor, Knoxville, TN 37929

ISO 27001:2013

DocuSign is ISO 27001:2013 certified. This is the highest level of global information security assurance available today, and provides customers assurance that DocuSign meets stringent international standards on security.

SOC I & II, Type II

As a SOC 1 and SOC 2-certified organization, DocuSign complies with the reporting requirements stipulated by the American Institute of Certified Public Accountants (AICPA). We undergo yearly audits across all aspects of our production operations, including our datacenters, and have sustained and surpassed all requirements.

ISO 27001:2013

DocuSign adheres to the requirements of the Cloud Security Alliance (CSA) Security Trust Assurance and Risk (STAR) program. The CSA STAR comprises key principles of transparency, rigorous auditing, and harmonization of standards. Our Consensus Assessments Initiative Questionnaire (CAIQ) documents the rigor and strength of DocuSign’s security posture and best practices and is publicly accessible for viewing and download from the CSA STAR registry.

SOC III & ISO Certifications

All Firebase services (aside from App Distribution and Crashlytics) have successfully completed the ISO 27001 and SOC 1, SOC 2, and SOC 3 evaluation process, and some have also completed the ISO 27017 and ISO 27018 certification process.

       ISO 27001

       ISO 27017

       ISO 27018

       SOC I

       SOC II

       SOC III

Critical Functions

Bitsy perpetually agrees to maintain a high level of successful operation of it's services.  Regardless of what external forces may threaten the integrity of our system.

Should there be any level of disruption to our service(s), Bitsy proactively implements a solution before acquiring new customers.


Bitsy acknowledges that it's members rely on our system for compliant client acquisition.  We agree to continually maintain and upgrade the integrity of our system to ensure our members get more (where possible) in value, than what they pay for.


Where possible, Bitsy agrees to proactively acknowledge possible and current threats and complications to it's system and to put aside all other activity to amend such faults, as quickly as possible.  We also agree to keep all members regularly apprised of ongoing circumstances, how they might be affected and what we're doing to amend any complications.  This communication will happen at least once every 24 hours.


Bitsy prides itself in being reliable; thus, we commit to regularly (at least 2 - 4 times annually) check the integrity of our system, tools and support capabilities to ensure our members experience little to no interruption in service.

In the preceding twelve (12) months, we have disclosed the following categories of personal information for a business purpose:

  1. Identifiers.
  2. California Customer Records personal information categories.

We disclose your personal information for a business purpose to the following categories of third parties:

Information we collect (expanded)….

We collect information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device (“personal information”). In particular, we have collected the following categories of personal information from consumers within the last twelve (12) months: