INFC New Marketing and Communications – Global Privacy Policy
1) Who we are
INFC New Marketing and Communications (“INFC”, “we”, “us”) provides marketing and communications services, including digital advertising, content production, influencer marketing, audience analytics, and campaign optimization for clients globally. We act as a data controller when we determine the purposes and means of processing personal data (e.g., our own subscribers, prospects, site visitors) and as a data processor when we process personal data on behalf of our clients per their instructions. ISO/IEC 27701 provides internationally recognized requirements and guidance for privacy information management systems (PIMS); INFC aims to align internal privacy controls with this standard to demonstrate accountability and global applicability.
2) The personal data we collect
We collect and process the following categories (depending on interaction and region):
-
Identifiers & contact details (e.g., name, email, phone, postal address, device IDs). Under CCPA/CPRA, these may be considered “personal information,” with “sensitive personal information” subject to additional limitations (e.g., precise geolocation).
-
Commercial & engagement data (e.g., campaign interaction, event registrations, downloads, purchases related to our services).
-
Online activity & technical data (e.g., cookies, pixels, IP, browser type, pages viewed, time on page, referral URLs, device and network information). PECR/ePrivacy rules require consent for non-essential cookies and similar technologies.
-
Preference & consent records (e.g., marketing preferences, opt-in/opt-out status, Do Not Call flags). CASL/PDPA/DNC require documented consent or registry checks before sending commercial messages or telemarketing.
-
Client-provided data (if we act as processor): audience lists, segmentation fields, campaign performance metrics, subject to contractual obligations and client instructions. ISO/IEC 27701 addresses controller/processor roles.
We do not intentionally collect or process sensitive personal data for marketing (e.g., health, biometric, sexual life, religious beliefs). Under Brazil’s LGPD, legitimate interest cannot justify processing sensitive data for marketing.
3) How we obtain data
-
Directly from you (forms, event sign-ups, newsletter subscriptions, account creation, surveys, or business cards). GDPR requires clear, lawful basis and transparent notices at collection. [gdpr-advisor.com]
-
Automatically via our sites/apps through cookies and similar technologies (only after consent where required). ePrivacy/PECR require active opt-in for non-essential cookies (analytics, advertising). [ico.org.uk], [communicat...ons.gov.uk]
-
From partners or platforms (publisher networks, social platforms, analytics providers) under contracts limiting use consistent with privacy laws (e.g., service provider/processor terms and “sharing” considerations under CPRA).
-
Public sources (trade directories, publicly available profiles) used in limited B2B contexts where permitted by law; we honor opt-out requests and local Do Not Call (DNC) rules.
4) Purposes of processing
We use personal data for:
-
Marketing communications (email, SMS/MMS, phone, in-app notifications) consistent with consent/opt-out rules under CAN-SPAM (US), CASL (Canada), Spam Act (Australia), PDPA/DNC (Singapore).
-
Personalization and audience segmentation (e.g., content recommendations, frequency capping) with appropriate lawful basis (consent or legitimate interests where permitted under GDPR/UK GDPR, subject to balancing tests).
-
Measurement and analytics (campaign performance, attribution). Non-essential analytics cookies typically require consent under PECR/ePrivacy.
-
Business operations (recordkeeping, compliance, security, fraud prevention). GDPR recognizes purposes like legitimate interests with safeguards.
5) Lawful bases
Where applicable (EU/UK/EEA and similar regimes), our lawful bases include:
-
Consent: for email/SMS marketing, certain cookies, and targeted advertising. Consent must be freely given, specific, informed, and easy to withdraw
-
Legitimate interests: for certain direct marketing to existing customers or B2B contacts where privacy impact is low and individuals would reasonably expect it; we conduct Legitimate Interest Assessments (LIA) following EDPB/ICO guidance.
-
Contract: to fulfil requested services (e.g., event registration confirmations)
-
Legal obligations: to comply with applicable laws (e.g., honoring opt-out signals, record retention).
Under Brazil’s LGPD, legitimate interest is permitted for non-sensitive data when documented via a balancing test and appropriate safeguards; sensitive data requires other bases.
6) Cookies, trackers, and similar technologies
We use first- and third‑party cookies and similar technologies to enhance user experience, analyze traffic, and deliver ads. We provide a cookie banner and settings tool to manage preferences. In the UK/EU, non-essential cookies require prior consent; implied consent is not sufficient.
Note (UK updates): PECR fines were increased in 2025 and certain cookie consent requirements were reformed by the Data (Use and Access) Act—organizations operating in the UK must monitor changes and ensure both UK and EU regimes are respected.
7) “Selling” or “Sharing” personal information (California)
INFC does not sell personal information for money. Some disclosures for cross‑context behavioral advertising may be deemed “sharing” under CPRA, requiring opt-out and honoring Global Privacy Control (GPC). We provide “Do Not Sell or Share My Personal Information” and “Limit Use of Sensitive Personal Information” links where applicable.
8) Email/SMS marketing compliance
When we send marketing emails/SMS:
-
United States (CAN-SPAM): we include accurate sender information, non-deceptive subject lines, physical postal address, and a functional unsubscribe; opt-outs are processed promptly.
-
Canada (CASL): opt‑in consent (express or statutory implied) is required before sending commercial electronic messages; messages must include identification and unsubscribe functionality. Penalties can reach millions of dollars.
-
Australia (Spam Act 2003): consent (express or inferred within an ongoing relationship), sender identification, and a functional unsubscribe are mandatory; ACMA enforces compliance and can issue significant penalties.
-
Singapore (PDPA/DNC): check the DNC Registry or obtain clear, unambiguous consent in evidential form; identify the sender and offer opt-out via the same channel.
9) Your privacy rights
Depending on your location, you may have rights to:
-
Access: request confirmation and a copy of your data (GDPR Art. 15; detailed EDPB guidance).
-
Rectification: correct inaccurate data.
-
Erasure: request deletion (“right to be forgotten”) subject to legal exceptions.
-
Restriction & objection: restrict processing or object to direct marketing—GDPR makes the right to object to direct marketing absolute.
-
Portability: receive data provided by you in a structured, commonly used, machine‑readable format and transmit it to another controller (when processing is automated and based on consent/contract).
-
California: right to know, delete, correct, opt‑out of sale/sharing; limit use of sensitive personal information; non‑discrimination.
-
Singapore: access/correction, withdrawal of consent, DNC protections.
-
Canada: unsubscribe, and other CASL protections for CEMs.
To exercise rights, contact us at [info@infcmktg.com] or use our self‑service portal (where available). We will respond within the legally required timeframes (e.g., one month under GDPR; different timelines may apply under other laws).
10) Data retention
We retain personal data only as long as necessary for the purposes described (e.g., honoring unsubscribes, fulfilling legal obligations, resolving disputes). GDPR’s storage limitation principle and ISO/IEC 27701 encourage documented retention schedules aligned to purpose necessity.
11) International data transfers
When transferring personal data internationally, we implement appropriate safeguards (e.g., standard contractual clauses, transfer risk assessments, regional mechanisms) to ensure a level of protection comparable to local law (e.g., GDPR/UK GDPR, PDPA transfer requirements).
12) Data security
We maintain technical and organizational measures to protect data against unauthorized access, disclosure, alteration, and loss, following risk-based practices and (where feasible) aligning to ISO/IEC 27701 as a PIMS and complementary security frameworks.
13) Children’s privacy
Our marketing services and websites are not directed to children. We do not knowingly collect personal data from children without appropriate parental consent and controls under applicable laws.
14) How we share data
We share data:
-
With service providers/contractors who process data under written agreements, limited to specified purposes and subject to confidentiality and security obligations (e.g., email platforms, analytics, CRM, ad tech). Under CPRA, we assess whether disclosures constitute “sharing” for cross‑context behavioral advertising and provide opt-outs.
-
With clients (where we act as processor) per instructions, subject to data processing agreements. ISO/IEC 27701 articulates controller/processor responsibilities.
-
For legal reasons (to comply with lawful requests, enforce agreements, protect rights or safety).
We do not sell your personal information for money. Where our activities may be deemed “sharing” (for behavioral advertising), we honor opt‑out signals (including GPC) as required.
A) European Union / EEA & United Kingdom
We apply GDPR/UK GDPR principles: lawfulness, fairness, transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity/confidentiality; accountability. We provide clear notices, obtain consent where required (e.g., cookies), honor rights requests, and document legitimate interests via LIA. For electronic marketing and cookies, PECR/ePrivacy apply in the UK/EU and require prior consent for non‑essential cookies. (Note UK DUA Act 2025 increased PECR fines and introduced changes—INFC monitors updates and applies the stricter regime where applicable).
B) United States (California)
We disclose CPRA rights and provide: “Do Not Sell or Share My Personal Information,” “Limit the Use of My Sensitive Personal Information,” and a Notice at Collection describing categories, purposes, and whether information is sold/shared. We honor opt-out signals (e.g., GPC).
C) Canada (CASL)
Before sending commercial electronic messages (CEMs) to, from, or within Canada, we require consent (express or implied by statute), include sender identification and unsubscribe features, and maintain records; penalties can reach up to CAD $10 million.
D) Singapore (PDPA & DNC)
We either obtain clear and unambiguous consent (in evidential form) or check the DNC Registry before telemarketing to Singapore numbers, and provide opt‑out via the same medium within 21 days.
E) Australia (Privacy Act 1988 & Spam Act 2003)
We ensure direct marketing complies with APP obligations and Spam Act requirements (consent, sender identification, easy unsubscribe); ACMA’s guidance applies to both express and inferred consent within ongoing relationships.
F) Brazil (LGPD)
We use legitimate interest for non‑sensitive data only after a balancing test with safeguards; sensitive personal data requires other legal bases. ANPD guidance (2024) sets parameters and a three‑step test.
16) How to contact us
-
Privacy inquiries & rights requests: [info@infcmktg.com]
Data Protection Officer (if appointed): [info@infcmktg.com]
We will verify identity, assess jurisdiction, and respond within applicable timelines (e.g., one month under GDPR; 10 business days to honor CAN-SPAM unsubscribes; 5 business days under Australia Spam Act; 21 days for Singapore DNC opt‑out).
17) Updates to this policy
We may update this policy to reflect changes in our practices or in applicable laws. Significant changes will be indicated by updating the “Last updated” date and, where required, providing additional notice (e.g., website banner or email).