1. Introduction

Make You Get It LLC (“MYG”) is a social impact strategic consulting and advocacy firm. This Privacy Policy explains how MYG collects, uses, protects, and shares personal information across its services, including consulting, advocacy, intake forms, SMS/text messaging, telehealth coordination, and partnerships. We are committed to exceeding legal requirements and building trust with clients, partners, and regulators.

2. Categories of Information We Collect

We collect the following categories of information, depending on the service provided:

• Personal Identifiers: Name, email, phone number, mailing address, date of birth.
• Professional/Organizational Details: Role, employer, affiliation.
• Sensitive Information: Disability accommodations, education or medical records (with consent).
• Financial Data: Payment records, invoicing information, but not credit card details.
• Technical Information: Device type, browser, IP address, cookies, analytics.
• Communications: Emails, SMS, consultation notes.

This information may be linked to specific case files for advocacy or consulting projects.

3. Sources of Information

• Direct Collection: Provided by individuals when engaging services, filling out forms, or contacting us.
• Automatic Collection: Cookies, analytics tools, and system logs.
• Third Parties: Referrals from schools, nonprofits, or government entities when legally authorized.

In all cases, MYG ensures that information is collected lawfully and with appropriate disclosures.

4. Purposes of Processing

We process information to:

• Deliver consulting, advocacy, and strategic planning services.
• Provide training and workshops.
• Manage communications and client relationships.
• Ensure compliance with laws and funding requirements.
• Improve services through quality assurance and feedback.
• Protect security and prevent fraud.

We also de-identify and aggregate data for research, evaluation, and reporting.

5. Lawful Bases & U.S. State Privacy Rights

We rely on consent, contractual necessity, legal obligations, and legitimate interests to process information. We comply with U.S. state privacy laws including California CPRA, Virginia VCDPA, Texas TDPSA, Oregon OCPA, and New Jersey NJDPA. We honor rights to access, correction, deletion, restriction, portability, and opt-out of targeted advertising or sale of data. We recognize Global Privacy Control (GPC) signals as required.

6. Cookies, Tracking, and Preference Center

MYG uses cookies and tracking technologies to enhance functionality, monitor site usage, and improve services. Types of cookies include:

• Essential Cookies: Required for site security and functionality.
• Analytics Cookies: Used for website traffic analysis (Google Analytics).
• Preference Cookies: Store language and accessibility preferences.
• Marketing Cookies: May be used to tailor outreach and advocacy campaigns.

We provide a cookie banner that allows visitors to Accept All, Decline All, or Manage Preferences.

7. Minors and Education Records (COPPA/FERPA)

When advocating for minors, MYG ensures compliance with COPPA and FERPA. We do not knowingly collect data from children under 13 without verifiable parental consent. For students, MYG applies FERPA standards to all education records, ensuring confidentiality and controlled access.

8. Sensitive Information

MYG may process sensitive data, such as disability or medical advocacy records, only with explicit consent or legal basis. We apply additional safeguards, including encryption, limited access, and redaction when feasible. We do not use sensitive information for profiling or marketing.

9. Sharing with Service Providers and Partners

MYG may share personal information with:

• Service Providers: IT, payment processors, cloud storage, secure telehealth vendors.
• Government Entities: When legally required for compliance or advocacy.
• Partner Organizations: Only with confidentiality agreements in place.

We do not sell personal data. All third-party access is monitored and logged.

10. Data Retention & Disposal Schedule

We retain information based on service and legal requirements:

• Client advocacy files: 7 years after last activity.
• Strategic consulting project files: 7 years.
• Communications and intake forms: 3 years.
• Web analytics and cookies: 14 months.

After the retention period, data is securely deleted or destroyed per NIST standards. Exceptions may apply for legal holds, audits, or ongoing disputes.

11. Security Controls & Incident Response

MYG implements industry-standard security measures, including:

• Encryption: All sensitive data encrypted in transit and at rest.
• Access Controls: Role-based permissions with multi-factor authentication.
• Monitoring: Continuous monitoring of networks, systems, and access logs.
• Incident Response Plan: Identify, contain, eradicate, recover, and review.

We notify affected individuals and regulators promptly in accordance with breach laws.

12. International Data Transfers

MYG operates primarily in the United States. When data must be transferred internationally, we apply Standard Contractual Clauses (SCCs) and other appropriate safeguards, ensuring compliance with GDPR and other applicable laws.

13. Automated Decision-Making & AI Use

MYG does not rely solely on automated decision-making for legal or eligibility outcomes. Where AI tools are used (e.g., for translation, drafting, or analytics), results are reviewed by humans. Clients may request information about the logic and significance of automated processing.

14. SMS/Texting (10DLC) Compliance

By providing a phone number, clients consent to receive SMS/text communications relevant to their services. • Reply STOP to opt out.
• Reply HELP for assistance.
• Message and data rates may apply.

Consent is not a condition of service. We comply with 10DLC registration requirements for local numbers.

15. Your Privacy Rights Request (DSR) Workflow

Clients may exercise their privacy rights by submitting a Data Subject Rights (DSR) request. Requests can be made via:

• Email to info@makeyougetit.com
• Online intake forms
• Postal mail to our Emeryville office

Workflow includes verifying identity, logging the request, responding within statutory timelines (usually 30–45 days), and providing appeal processes where required.

16. Accessibility & Language Access

MYG is committed to accessibility and inclusion. We provide reasonable accommodations, interpreter services (including ASL), translated materials, and alternative formats upon request. Our websites are designed to conform with WCAG 2.2 AA standards.

17. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated via email or website notice. We encourage clients and partners to review the policy regularly to stay informed.

18. Contact

For questions, concerns, or to exercise your rights under this policy:

Make You Get It LLC (MYG)
Email: info@makeyougetit.com
Phone: 510-756-5700
Address: 1900 Powell Street, Suite 700, Emeryville, CA 94608

Appendix A — Glossary

This glossary provides plain-language definitions of privacy and compliance terms used in this document:

• DSR: Data Subject Rights
• SCC: Standard Contractual Clauses
• CPRA: California Privacy Rights Act
• HIPAA: Health Insurance Portability and Accountability Act
• FERPA: Family Educational Rights and Privacy Act
• ADA: Americans with Disabilities Act
• 10DLC: 10 Digit Long Code for text messaging

Additional definitions are available upon request.

Appendix B — Data Retention Schedule (Detailed)

Category: Advocacy records — Retention: 7 years from last activity
Category: Consulting project files — Retention: 7 years
Category: Intake forms and communications — Retention: 3 years
Category: Web analytics data — Retention: 14 months
Category: Financial transaction data — Retention: 7 years

Disposal methods include shredding, secure wiping, or permanent deletion in accordance with NIST standards.

Appendix C — Incident Response SOP

The Incident Response process includes:

1. Identify incident
2. Contain impact
3. Eradicate threat
4. Recover operations
5. Notify affected parties and regulators
6. Document lessons learned

Each step is documented and assigned to designated staff.

Appendix D — Data Subject Request (DSR) Workflow

The DSR workflow ensures compliance with privacy laws:

• Intake request via email, form, or phone
• Verify identity using multi-factor verification
• Determine scope and feasibility
• Provide response within 30–45 days
• Offer appeal mechanism if request denied

All requests and outcomes are logged for auditing.

Appendix E — Cookie Categories & Vendors

Cookie categories include:

• Essential cookies — Required for functionality and security
• Analytics cookies — Google Analytics and similar tools
• Marketing cookies — For outreach campaigns

Vendors are vetted and subject to confidentiality agreements.