CONTACT US

Privacy Notice

External Privacy Notice (PDF) Work Position Applicant Privacy Notice (PDF)

External Privacy Notice

SHEEHAN PHINNEY BASS & GREEN PA
PRIVACY NOTICE

Effective as of December 31, 2025, and supersedes and replaces any prior Privacy Notice.

I. SCOPE OF THIS PRIVACY NOTICE

Sheehan Phinney Bass & Green PA (“Sheehan Phinney”, “Organization”, "us", "we" or "our") is committed to protecting the privacy of the individuals about whom we process “personal information” (also known as “personal data”). While various laws define personal information differently, in general terms it means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, to individuals (or under certain laws a household).

This privacy notice ("Privacy Notice") is designed to assist you in understanding how we “process” and safeguard, retain and destroy the personal information of individuals covered by this Privacy Notice (“data subject”, “you”, or “your”). “Process” means any operation or set of operations that are performed on personal information or on sets of personal information, whether or not by automated means, such as the collection, use, storage, disclosure, analysis, deletion or modification of personal information. When we discuss personal information that we are processing, that includes processing that we do, as well as processing undertaken on our behalf by others.

This Privacy Notice covers our activities in our role as “controller” of your “personal information”. “Controller” means that we are the one responsible for determining the purposes and means for processing personal information. As used in this Privacy Notice, the term “disclose” means to disclose, provide to, or provide access to personal information to those outside our Organization, and includes situations where the personal information is obtained and processed directly by them on our behalf.

This Privacy Notice covers personal information we obtain from you directly and from other sources, including situations where others are processing personal information on our behalf. It applies when you visit our website or use any of our services, or otherwise transact business or have other dealings with us which involve us processing your personal information. We have a separate Privacy Notice specifically for work position applicants (covering the capacities of potential employee and individual independent contractor workers) which may be viewed here (https://www.sheehan.com/privacy).

II. CONTACT US

For more information about our privacy practices, or if you have questions or concerns regarding our Privacy Notice, our privacy practices, the security at our website or other services, or any rights you might have with regard to the personal information we obtain or otherwise process about you, you may contact our Privacy Officer in any of the ways set out in Section IV of this Privacy Notice.

III. OUR ACTIVITIES WITH RESPECT TO PERSONAL INFORMATION

In this Section III of this Privacy Notice, we discuss our processing activities in relation to your personal information. The information is presented for each category of personal information that we process, and the processing details within each category apply to that category as a whole.

With regard to disclosing of personal information in particular, in subsection A below we discuss disclosing personal information to processors and others providing services to us or on our behalf. In subsection B, we discuss situations where we may disclose your personal information to others outside our organization.

In subsection C, we also provide more detail about information collected through online technologies, including a discussion about cookies and any other technologies that we and/or others acting on our behalf may use with regard to processing personal information.

Please note that Section VII of this Privacy Notice titled “Jurisdiction-specific Information” provides additional information regarding our privacy practices as to the personal information of data subjects protected by the laws of the jurisdictions identified therein, and supplements the other provisions of this Privacy Notice. In the event of any inconsistency between the provisions stated in Section VII and the provisions stated in the rest of this Privacy Notice, the provisions under Section VII, to the extent applicable, will take precedence.

RETENTION AND DESTRUCTION OF PERSONAL INFORMATION

Data subjects’ personal information is retained in paper and/or electronic documents/records. We typically maintain personal information contained in documents/records according to our document retention policies or programs. The time period of retention may be up to 10 years or even indefinitely according to the nature of documents/records and the type of personal information contained therein.

In some cases certain personal information may be retained for an extended period of time, or even indefinitely (depending on the circumstances) as follows:

  • to comply with legal obligations;
  • to protect or enforce our rights or defend us against claims and legal actions;
  • to prove ownership of property
  • to prove resolution of claims/disputes
  • for historical reasons pertaining to our business (for example, to analyze trends over time, understand past business practices, support future strategies and decision making, provide context for current operations, support research and historical analysis, and/or document significant events in our Organization’s history)

While we maintain such personal information, we continue to apply our security standards and procedures to protect it. We destroy your personal information when it will no longer be retained by us, using methods designed to render the personal information unreadable, undecipherable and irretrievable.

A. CATEGORIES OF PERSONAL INFORMATION THAT WE PROCESS AND DETAILS RELATING TO THE SAME
1. IDENTIFIERS

(This category of personal information covers various types of information used to identify data subjects (and under certain laws, households)). We process personal information in this category, such as:

  • Direct Personal Identifiers, such as real name (first & last), signature, home and/or postal address (including street and/or PO Box), email address(es), telephone and cell phone numbers, alias(es), fax number, work address
  • Indirect Personal Identifiers, such as parts of a birthday (e.g., year, month and year, day and month), birthdate, parts of an address, handwriting
  • Assigned Identifiers, such as Social Security Number, tax identification number, bank account number(s), debit card account number(s), credit card account number(s), account name(s)

The personal information that we process in this category is obtained from the following sources: directly from the data subject, public sources, social media services/providers, credit bureaus/credit reporting agencies, background check and investigation providers, references sources, law enforcement authorities, customers/clients, processors/service providers, vendors, Caller ID and/or VOIP specific tracking as such with Teams, Zoom, Webex and similar applications to track source of call; financial services providers

We process the personal information in this category for the following reasons:

  • Communications: communicate with data subjects, including responding to inquiries and requests, and providing information about services; provide publications
  • Carry out business relationship with data subject: prepare for, enter into, and carry out a contract with the data subject; provide the requested services; process payment for services, set up accounts
  • Carry out business relationship with data subject’s company/organization: prepare for, enter into, and carry out a contract with the data subject; provide the requested services; process payment for services, set up accounts
  • Customer support: provide customer support
  • Facilitating use of Organization resources: enable use of our online services
  • Legal obligations: comply with income, sales and/or use tax reporting requirements, comply with regulatory and/or other legal obligations
  • Promotional activities: provide events, such as seminars, webinars, and other presentations; client and other receptions and social gatherings
  • Troubleshooting and maintenance: troubleshoot/diagnose problems with and maintain our website
  • Marketing: advertise/market our services, participate in social media

We generally retain the personal information in this category according to the criteria set forth at the beginning of Section III under the heading “RETENTION AND DESTRUCTION OF PERSONAL INFORMATION”.

We disclose the personal information in this category to the following categories of recipients who are outside our Organization: payment processors, software as a service (SaaS) providers such as data storage providers; private investigators/background investigators; customer relationship management providers; email services providers (other than simply an email services provider acting as a conduit for sending and receiving emails), marketing and advertising service providers; time and billing providers; document management providers; information technology (IT) services providers

Other potential recipients are identified in Section III.B.2 of this Privacy Notice.

We disclose the personal information in this category to those recipients for the following reasons: for the recipients identified in the preceding section to provide services to or on behalf of the Organization; for the reasons identified in Section III.B.2 of this Privacy Notice;

We do not sell your personal information in this category. We do not use personal information in this category for targeted, cross-contextual or behavioral advertising.

VII. JURISDICTION-SPECIFIC INFORMATION

This Section provides additional information regarding our privacy practices as to the personal information of data subjects protected by the laws of the jurisdictions identified in the Addendums below, and supplements the other provisions of this Privacy Notice. In the event of any inconsistency between the provisions of any Addendum in this Section VII and the provisions stated in the rest of this Privacy Notice, the provisions of the Addendum, to the extent applicable, will take precedence.

CALIFORNIA PRIVACY ADDENDUM

A comprehensive description of our online and offline personal information practices is set forth in the main body of our Privacy Notice to which this Addendum pertains. This Addendum addresses the rights of data subjects (or “you”) who are consumers under the California privacy laws set forth below, and how to exercise those rights.

California Shine the Light Act

Individual consumers who reside in California and have provided us with their personal information may request information about our disclosures of certain categories of personal information to third parties for their direct marketing purposes. Such requests must include your name, street address, city, state, and zip code. Requests may be sent by email or by mail to our Privacy Officer as set out in Section IV of the Privacy Notice. We reserve our right not to respond to requests submitted to addresses other than those specified.

If we determine that the Act applies, within thirty days of receiving such a request, we will provide a list of the categories of personal information disclosed to third parties for their direct marketing purposes during the immediately preceding calendar year, along with the names and addresses of these third parties. This request may be made once per calendar year.

California Consumer Privacy Act (CCPA)

1. Notice at Collection of Personal Information

The purpose of the Notice at Collection is to provide consumers with timely notice, at or before the point of collection, about the categories of personal information to be collected from them, the purposes for which the personal information is collected or used, and whether that information is sold or shared, so that consumers have a tool to exercise meaningful control over the business’s use of their personal information. For example, upon receiving the Notice at Collection, the consumer can use the information in the notice as a tool to choose whether to engage with the business, or to direct the business not to sell or share their personal information and to limit the use and disclosure of their sensitive personal information. Below are our Notice at Collection disclosures.

  • A. Categories of Personal Information: A list of the categories of personal information about consumers, including categories of sensitive personal information, that we may collect is contained in Section III.A of our primary Privacy Notice.
  • B. Purposes for Collection: The purpose(s) for which the categories of personal information, including categories of sensitive personal information, may be collected and used are contained in Sections III.A and III.B of our primary Privacy Notice.
  • C. Selling or Sharing: As stated in our primary Privacy Notice, we do not sell or share personal information in any category. See Section III.A of our primary Privacy Notice.
  • D. Retention Period: The length of time we intend to retain each category of personal information identified herein, or if that is not possible, the criteria used to determine the period of time it will be retained is contained in Section III.A of our primary Privacy Notice.
  • E. Privacy Notice Link: Here is a link to our Privacy Notice: https://www.sheehan.com/privacy. A copy of our Privacy Notice also may be accessed at each of our office locations in the reception area.
2. Privacy Notice Disclosures

Our primary Privacy Notice contains a comprehensive description of our online and offline information practices. As to the CCPA requirements specifically, the following applies:

  • A. Categories Collected: The categories of personal information we have collected about consumers in the preceding 12 months is contained in Section III.A of our primary Privacy Notice.
  • B. Sources of Collection: The categories of sources from which the personal information is collected is contained in Section III.A of our primary Privacy Notice.
  • C. Business Purpose: The specific business or commercial purpose for collecting personal information from consumers is contained in Sections III.A and III.B of our primary Privacy Notice.
  • D. Sold or Shared: We have not sold or shared consumers’ personal information in the preceding 12 months, and likewise have no actual knowledge that we sell or share the personal information of consumers under 16 years of age.
  • E. Disclosed for Business Purpose: The categories of personal information, if any, that we have disclosed for a business purpose to third parties in the preceding 12 months is contained in Section III.B of our primary Privacy Notice.
  • F. Third Party Recipients: For each category of personal information identified herein, the categories of third parties to whom the information was disclosed is contained in Section III.B of our primary Privacy Notice.
  • G. Disclosure Purpose: The specific business or commercial purpose for disclosing the consumer’s personal information is contained in Sections III.A and III.B of our primary Privacy Notice.
  • H. Sensitive Personal Information: We do not use or disclose sensitive personal information for purposes other than those specified in section 7027, subsection (m) of the CCPA Regulations.
3. Consumer Rights

The CCPA confers on consumers certain rights regarding their personal information, which includes all of the following:

  • A. Right to Know: The right to know what personal information we have collected about the consumer, including the categories of personal information, the categories of sources from which the personal information is collected, the business or commercial purpose for collecting, selling, or sharing personal information, the categories of third parties to whom the business discloses personal information, and the specific pieces of personal information the business has collected about the consumer.
  • B. Right to Delete: The right to delete personal information that we have collected from the consumer, subject to certain exceptions.
  • C. Right to Correct: The right to correct inaccurate personal information that we maintain about a consumer.
  • D. Right to Non-Discrimination: The right not to receive discriminatory treatment by us for the exercise of privacy rights conferred by the CCPA.
4. How Consumers may exercise their rights under the CCPA
  • A. Consumers can exercise their CCPA rights by contacting us through our toll-free telephone number: 800 625-7724, or by emailing us at privacy@sheehan.com.
  • B. Because we do not sell or share your personal information, and we do not use or disclose sensitive personal information for purposes other than those specified in section 7027, subsection (m) of the CCPA Regulations, we do not process opt-out preference signals.
5. Verification of Requests

A. In order to verify the identity of consumers making requests to delete, to correct, or to know under our Privacy Notice, whenever feasible, we will attempt to match the identifying information provided by the consumer to the personal information of the consumer already maintained by us. We also may request information such as name, mailing address, email address, telephone number, copies of documents showing your name and address such as a utility bill. While we generally avoid asking for a copy of a government-issued ID, we may ask for the same if necessary to identify the consumer. We also may use a third-party identity verification service that complies with the CCPA requirements.

B. We generally will avoid requesting additional information from the consumer for purposes of verification. If, however, we cannot verify the identity of the consumer from the information already maintained by us, we may request additional information from the consumer, which shall only be used for the purposes of verifying the identity of the consumer seeking to exercise their rights under the CCPA, security, or fraud-prevention. We will delete any new personal information collected for the purposes of verification as soon as practical after processing the consumer’s request, except as required to comply with our record keeping requirements under the CCPA or as required under our document retention policies or programs. We will not require the consumer or the consumer’s authorized agent to pay a fee for the verification of their request to delete, request to correct, or request to know. We will not require a consumer to provide a notarized affidavit to verify their identity unless we compensate the consumer for the cost of notarization.

C. For requests to correct, we will make an effort to verify the consumer based on personal information that is not the subject of the request to correct. For example, if the consumer is contending that we have the wrong address for the consumer we will not use that address as a means of verifying the consumer’s identity.

D. Our compliance with a request to know categories of personal information requires that we verify the identity of the consumer making the request to a reasonable degree of certainty. A reasonable degree of certainty may include matching at least two data points provided by the consumer with data points maintained by us that we have determined to be reliable for the purpose of verifying the consumer.

E. Our compliance with a request to know specific pieces of personal information requires that we verify the identity of the consumer making the request to a reasonably high degree of certainty. A reasonably high degree of certainty may include matching at least three pieces of personal information provided by the consumer with personal information maintained by us that we have determined to be reliable for the purpose of verifying the consumer together with a signed declaration under penalty of perjury that the requestor is the consumer whose personal information is the subject of the request.

F. Our compliance with a request to delete or a request to correct may require that we verify the identity of the consumer to a reasonable or reasonably high degree of certainty depending on the sensitivity of the personal information and the risk of harm to the consumer posed by unauthorized deletion or correction.

G. We will deny a request to know specific pieces of personal information if we cannot verify the identity of the requestor in accordance with the requirements of the CCPA.

H. If there is no reasonable method by which we can verify the identity of the consumer to the degree of certainty required, we will state that in response to any request and explain why we have no reasonable method by which we can verify the identity of the requestor.

6. Authorized Agents

A. When a consumer uses an authorized agent to submit a request to delete, request to correct, or a request to know, we may require the authorized agent to provide proof that the consumer gave the agent signed permission to submit the request. We may also require the consumer to do either of the following:

  1. Verify their own identity directly with us.
  2. Directly confirm with us that they provided the authorized agent permission to submit the request.

We may require a signed letter of authorization or a power of attorney.

B. An authorized agent must implement and maintain reasonable security procedures and practices to protect the consumer’s information.

C. An authorized agent must not use a consumer’s personal information, or any information collected from or about the consumer, for any purposes other than to fulfill the consumer’s requests, verification, or fraud prevention.

7. No Sale or Sharing of Consumers’ Personal Information

We do not “sell” or “share” personal information of consumers as those terms are defined under the CCPA.

8. Sensitive Personal Information

We do not collect or process sensitive personal information for the purpose of inferring characteristics about consumers. Rather, we process sensitive personal information only to perform our services in specific matters. We do not use or disclose sensitive personal information for purposes other than those specified in section 7027, subsection (m) of the CCPA.

9. Minors

As a law firm, we may process certain personal information of our clients who are minors in connection with our representation of them. Where we do so it is with the knowledge and consent of such minors’ parent(s) or legal guardian(s), or in an appropriate case, knowledge and consent of a minor consumer who is at least 16 years of age.

Likewise, in order to effectively represent our clients’ rights in disputes, we may process certain personal information of plaintiffs, defendants or other individuals involved in or relevant to such disputes who are minors. In these cases, we process the personal information only pursuant to appropriate legal authority and process.

10. Contacting Us

If you have questions or concerns about our privacy policies and information practices, you may contact us using one or more of the methods identified in Section IV of our primary Privacy Notice to which this Addendum relates.

11. Date Last Updated

The date our Privacy Notice was last updated is set out at the beginning of the primary Privacy Notice to which this Addendum relates.

NEW HAMPSHIRE PRIVACY ADDENDUM (RSA 507-H)

A comprehensive description of our online and offline personal information practices is set forth in the main body of our Privacy Notice to which this Addendum pertains. This Addendum addresses the rights of data subjects (or “you”) who are consumers under New Hampshire’s privacy law, NH RSA 507-H, and how to exercise those rights.

New Hampshire Consumer Privacy Rights

Under NH RSA 507-H, subject to certain limitations and exemptions identified in the law, “consumers” (New Hampshire residents) whose personal information is processed by or on behalf of our Organization (the “controller”), have the right to:

  • (a) Confirm whether or not we are processing your personal data and access such personal data (unless it would reveal a trade secret);
  • (b) Correct inaccuracies in your personal data;
  • (c) Delete personal data provided by, or obtained about, you;
  • (d) Obtain a copy of your personal data in a portable and usable format;
  • (e) Opt-out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects.

Definitions

  • "Personal data" means any information that is linked or reasonably linkable to an identified or identifiable individual. It does not include de-identified data or publicly available information.
  • "Profiling" means any form of automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an individual's economic situation, health, personal preferences, interests, reliability, behavior, location or movements.
  • "Sale of personal data" means the exchange of personal data for monetary or other valuable consideration. It does not include disclosure to a processor, to a third party for requested products/services, to an affiliate, where directed by the consumer, for public mass media, or as part of a merger/acquisition.
  • "Targeted advertising" means displaying ads selected based on personal data obtained over time and across non-affiliated websites/apps. It does not include ads based on our own sites, current search queries, consumer requests, or for measurement/reporting.

How to Exercise Your Rights

You may exercise your rights by contacting us through our toll-free number: 800 625-7724, or by emailing us at privacy@sheehan.com.

A consumer may designate an authorized agent to exercise the right to opt-out. Parents or legal guardians may exercise rights on behalf of a known child or individuals under guardianship.

Response Timeline

We will respond to requests without undue delay, but not later than 45 days after receipt. We may extend this by 45 additional days if necessary, provided we inform you within the initial period. If we decline action, we will justify the decision and provide instructions for appeal.

Information is provided free of charge once per 12-month period. For excessive or repetitive requests, we may charge a reasonable fee or decline to act.

Appeals

If we refuse to take action on your request, you may appeal by contacting us at AppealPrivacyIssue@sheehan.com. We will respond within 60 days. If the appeal is denied, we will provide information on how to contact the attorney general.

TEXAS CONSUMER DATA PROTECTION ACT ADDENDUM

A comprehensive description of our online and offline personal information practices is set forth in the main body of our Privacy Notice to which this Addendum pertains. This Addendum covers rights that you as a consumer (i.e., Texas resident) may have under the Texas Data Privacy and Security Act (TDPSA), and our obligations in relation thereto.

1. Data Subject Rights

(a) Subject to any exemptions, restrictions or limitations under the TDPSA, a consumer is entitled to exercise the consumer rights identified below at any time as set forth in Section 2 below, specifying the consumer rights the consumer wishes to exercise. With respect to the processing of personal data belonging to a known child, a parent or legal guardian of the child may exercise the consumer rights on behalf of the child.

(b) Subject to any exemptions, restrictions or limitations under the TCDPA, we will comply with an authenticated consumer request to exercise the right to:

  • (1) confirm whether we are processing the consumer's personal data and to access the personal data;
  • (2) correct inaccuracies in the consumer's personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer's personal data;
  • (3) delete personal data provided by or obtained about the consumer;
  • (4) if the data is available in a digital format, obtain a copy of the consumer's personal data that the consumer previously provided to us in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance; or
  • (5) opt out of the processing of the personal data for purposes of:
    • (A) targeted advertising;
    • (B) the sale of personal data; or
    • (C) profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer.

2. How Texas consumers may submit Requests.

(a) Consumers may submit requests under section 1 above may exercise your request rights by contacting us through this toll free number: 800 625-7724, or by emailing us at privacy@sheehan.com. A consumer may designate another person to serve as the consumer ’s authorized agent and act on the consumer ’s behalf to opt out of the processing of the consumer personal data under Sections 541.051(b)(5)(A) (targeted advertising) and (B) (the sale of personal data).

(b) We will not require a consumer to create a new account to exercise the consumer's rights, but may require a consumer to use an existing account.

3. Our Responses to Data Subject Requests.

(a) Subject to any exemptions, restrictions or limitations under the TDPSA or as otherwise provided under the TDPSA, we will comply with a request submitted by a consumer to exercise the consumer's rights pursuant to Section 541.051 of the TDPSA as provided by that section.

(b) We will respond to the consumer request without undue delay no later than the 45th day after the date of receipt of the request. We may extend the response period once by an additional 45 days when reasonably necessary, taking into account the complexity and number of the consumer's requests, so long as we inform the consumer of the extension within the initial 45-day response period, together with the reason for the extension.

(c) If we decline to take action regarding the consumer's request, we will inform the consumer without undue delay, no later than the 45th day after the date of receipt of the request, of the justification for declining to take action and provide instructions on how to appeal the decision in accordance with Section 541.053 of the TDPSA.

(d) We will provide information in response to a consumer request free of charge, at least twice annually per consumer. If a request from a consumer is manifestly unfounded, excessive, or repetitive, we may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or may decline to act on the request. We bear the burden of demonstrating for purposes of this subsection that a request is manifestly unfounded, excessive, or repetitive.

(e) If we are unable to authenticate the request using commercially reasonable efforts, we are not required to comply with a consumer request submitted under Section 541.051 of the TDPSA and may request that the consumer provide additional information reasonably necessary to authenticate the consumer and the consumer's request.

(f) Where we have obtained personal data about a consumer from a source other than the consumer, we will be considered in compliance with a consumer's request to delete that personal data pursuant to Section 541.051(b)(3) of the TCDPA by:

  • (1) retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the consumer's personal data remains deleted from our records and not using the retained data for any other purpose under this chapter; or
  • (2) opting the consumer out of the processing of that personal data for any purpose other than a purpose that is exempt under the provisions of this chapter.

4. Right to Appeal.

(a) A consumer may appeal our refusal to take action on a request within 30 days after the consumer's receipt of our decision by contacting us at AppealPrivacyIssue@sheehan.com, and stating the basis for the appeal.

(b) We will inform the consumer in writing of any action taken or not taken in response to an appeal under this section not later than the 60th day after the date of receipt of the appeal, including a written explanation of the reason or reasons for the decision.

(d) If we deny an appeal, the consumer may contact the attorney general to submit a complaint by using the online mechanism found here: https://consumerprotection.texasattorneygeneral.gov/consumercomplaintportal/s/.

5. Additional Notices.

  • We do not sell your personal data.
  • We do not sell your sensitive personal data.
  • We do not sell your biometric personal data.
  • We do not process your personal data for targeted advertising purposes.
  • We do not process your personal data for profiling in furtherance of a decision that produces a legal or similarly significant effect concerning you.

WORK POSITION APPLICANT PRIVACY NOTICE

Effective as of January 1, 2026 and supersedes and replaces any prior Privacy Notice.

I. SCOPE OF THIS PRIVACY NOTICE

Sheehan Phinney Bass & Green PA (“Sheehan Phinney”, “Organization”, "us", "we" or "our") is committed to protecting the privacy of the individuals about whom we process “personal information” (also known as “personal data”). While various laws define personal information differently, in general terms it means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a data subject (and under one or more laws a household), and where a particular law that is applicable has a different definition, the definition under that law will apply.

This privacy notice ("Privacy Notice") is designed to assist you in understanding how we “process”, protect, retain, and destroy the personal information of individuals covered by this Privacy Notice (“data subject”, “you”, or “your”). “Process” means any operation or set of operations that are performed on personal information or on sets of personal information, whether or not by automated means, such as the collection, use, storage, disclosure, analysis, deletion or modification of personal information. When we discuss personal information that we are processing, that includes processing that we do, as well as processing undertaken on our behalf by others.

This Privacy Notice covers our activities in our role as “controller” of your “personal information”. “Controller” means that we are the one responsible for determining the purposes and means for processing personal information. As used in this Privacy Notice, the term “disclose” means to disclose, provide to, or provide access to personal information to those outside our Organization, and includes situations where the personal information is obtained and processed directly by them on our behalf.

This Privacy Notice applies when you apply for a work position as an employee or independent contract worker with our Organization (“Work Position Applicant”). If you interact with us in a different capacity, our general Privacy Notice applies (and may be viewed here: https://www.sheehan.com/privacy).

II. CONTACT US

For more information about our privacy practices, or if you have questions or concerns regarding our Privacy Notice, our privacy practices, the security at our website or other services, or any rights you might have with regard to the personal information we obtain or otherwise process about you, you may contact our Privacy Officer in any of the ways set out in Section IV of this Privacy Notice.

III. OUR ACTIVITIES WITH RESPECT TO PERSONAL INFORMATION

This Privacy Notice applies only to personal information we process about you in your capacity as a Work Position Applicant. When you interact with us, our website(s), or mobile or other applications (where applicable), outside of the capacities of Work Position Applicant, our Privacy Notices related to the same will apply. Below are details related to our privacy practices as to personal information we process about you in your capacity as a Work Position Applicant.

Please note that Section VII of this Privacy Notice titled “Jurisdiction-specific Information” provides additional information regarding our privacy practices as to the personal information of data subjects protected by the laws of the jurisdictions identified therein, and supplements the other provisions of this Privacy Notice. In the event of any inconsistency between the provisions stated in Section VII and the provisions stated in the rest of this Privacy Notice, the provisions under Section VII, to the extent applicable, will take precedence.

A. PERSONAL INFORMATION WE PROCESS

We collect and otherwise process only limited types of personal information from you in your capacity as a Work Position Applicant:

B. SOURCES FROM WHICH THE PERSONAL INFORMATION IS OBTAINED

We obtain the personal information identified in Section III.A from the following sources:

C. PURPOSE(S) FOR PROCESSING THE PERSONAL INFORMATION

We obtain and use this personal information solely for the purpose of determining whether to engage you to undertake work for our Organization in any of the capacities identified above as a Work Position Applicant. In general, we will use your personal information only for the purposes for which such information was obtained by us. However, we may also use your personal information to:

D. WHO WE DISCLOSE YOUR PERSONAL INFORMATION TO AND WHY

1. Processors and Service Providers

We disclose your personal information to our data storage providers, our document management providers, background check providers, information technology (IT) services providers, and human resources information system providers. If you engage with any of our processors, service providers or other recipients that we have disclosed personal information to, for your own purposes apart from what they are doing for us, you will be subject to their privacy practices and notices/Policies, and we have no responsibility for the same. In such cases, we recommend that you review their privacy notices/policies to learn how they use your personal information.

2. Others to whom we may disclose your personal information and the purposes for doing so

In addition to the reasons for disclosing your personal information for our routine business and commercial activities as discussed in Subsection III.A above, we also may disclose your personal information to certain third parties for the reasons described in the chart below.

Category of Third Party Purpose for Disclosing Personal Information
Insurers In connection with obtaining liability and/or other insurance coverage to protect our rights, interests, and property, and in some cases the rights, interests and/or property of others; in connection with claims brought by or against our Organization and/or our personnel as needed.
Legal counsel For legal representation and advice, including in connection with claims by and against our Organization and/or its personnel; to protect our rights, interests, and property, and in some cases the rights, interests and/or property of others.
Financial and tax advisors; accountants For tax and other financial advice.
Government authorities (such as law enforcement authorities with regard to background checks) To comply with applicable laws, regulations, rules and the like, including any reporting obligations; to comply with legal process or governmental requests or orders served on us, including to meet national security requirements, and in connection with investigations.
Law enforcement authorities To comply with legal process or governmental requests or orders served on us, including to meet national security requirements, and in connection with investigations; protect the security and integrity of our software, systems, products and services; protect and enforce our rights, policies, and agreements; protect the interests of users of our websites, mobile apps (if any), and services, the interests of others acting on our behalf, and the public (where applicable), from harm and/or illegal activities; detect, prevent and/or otherwise address fraud, security or technical issues; respond to an emergency which we believe in good faith requires us to disclose information to assist in preventing the death, serious bodily injury, or harm to any individual or their property, or harm to the business interests or property of individuals or entities.
Courts and other tribunals To comply with legal process, orders and the like issued by such tribunal, including to meet national security requirements, as well as investigations; in connection with claims brought by or against our Organization and/or its personnel; to protect our rights, interests, and property, and in some cases the rights, interests and/or property of others; protect the security and integrity of our software, systems, products and services; protect and enforce our rights, policies, and agreements; protect the interests of users of our websites, mobile apps (if any), and services, the interests of others acting on our behalf, and the public (where applicable), from harm and/or illegal activities; detect, prevent and/or otherwise address fraud, security or technical issues; respond to an emergency which we believe in good faith requires us to disclose information to assist in preventing the death, serious bodily injury, or harm to any individual or their property, or harm to the business interests or property of individuals or entities.
Experts; investigators In connection with claims brought by or against our Organization and/or its personnel; to protect our rights, interests, and property, and in some cases the rights, interests and/or property of others.
Litigants and their legal counsel In connection with claims brought by or against our Organization and/or its personnel.

Notwithstanding any restrictions or limitations on our use of your personal information, we may transfer, sell or assign your personal information to third parties as a result of the sale, merger, consolidation, change in control, transfer of substantial assets, or a bankruptcy, reorganization or liquidation proceeding, involving us. Please note that we do not sell your personal information or use it for targeted, cross-contextual or behavioral advertising.

E. HOW LONG WE RETAIN YOUR PERSONAL INFORMATION

Data subjects’ personal information is retained in paper and/or electronic documents/records. We typically maintain personal information contained in documents/records for as long as needed by us, and where applicable pursuant to our document retention policies or programs. In some cases, certain personal information may be retained for an extended period of time, or even indefinitely (depending on the circumstances) under the following circumstances:

While we maintain such personal information, we continue to apply our security standards and procedures to protect it. We destroy your personal information when it will no longer be retained by us, using methods designed to render the personal information unreadable, undecipherable and irretrievable.

F. ADDITIONAL DETAILS ABOUT COOKIES AND OTHER TECHNOLOGIES WE USE

COOKIES

Cookies are small text or data files that are placed on your computer or other device that you use to access our website. Cookies provide a sort of memory for web pages. Cookies may be distinguished by who is setting the cookie on your device when you visit a website. A “first party cookie” refers to cookies set by us as the controller or operator of the site or by a processor acting on our behalf. On the other hand, a “third party cookie” refers to cookies that are set by other controllers that do not operate the particular site. Also, cookies are sometimes characterized by their duration. A “session cookie” is a cookie that is automatically deleted from your computer or device when you close your browser, whereas a “persistent cookie” is a cookie that remains stored in your computer or device until a defined expiration date and/or until you take steps to remove it.

Below is a general description of cookies, why they are used, and which ones we use, ourselves and/or through our processors/service providers.

1. Necessary Cookies

These cookies are necessary to provide use of a website. We use necessary cookies to (i) maintain the state of the user’s interactions on the website during a single session, and (ii) identify and mitigate automated traffic (bots) from malicious activities. They do not identify the user.

2. User Experience Cookies

These cookies improve/enhance your user experience of a website by enabling the site to remember information that changes the way the site behaves or looks, such as by setting your language preference, remembering your name or location, keeping you logged in, or providing enhanced or more personalized features. Please note that where you specifically request the relevant function that requires such cookies, that processing typically is treated as necessary. We do not use user experience cookies.

3. Analytical Cookies

These cookies collect information about your use of a website to analyze certain of your activities to help with understanding how visitors interact with the site, including estimating the number of unique visitors to the site and to specific pages within the site, to detect the most preeminent search engine keywords that lead to the site and to specific pages within the site, to identify site navigation issues, and to see how visitors move around the site. We use analytical cookies implemented by our analytics, Google Analytics, to identify the region of the United States where our website visitors are located. They do not identify the user.

4. Marketing Cookies

These cookies are used to track site visitors/users across third-party websites, including tracking browsing habits such as what pages a visitor/user visits, what items are viewed and how many times, and to display ads and provide focused advertising for goods or services that might be relevant or of interest to the particular visitor/user. We do not use marketing cookies.

5. Social Media Cookies

These cookies are set by third party social media platforms, may be integrated into a website, and are stored on a user’s device and/or browser, to track how individuals interact with the social media platforms. They can be used, for example, to identify when a user is signed into their social media account, how a user interacts with the social media platform, including advertisements on the platform, or other website, and to determine what types of advertisements to show individuals. In that sense they are similar to marketing cookies. They disclose information to social media networks, and also may be used to facilitate a more personalized browsing experience, or see embedded videos on a website. We do not use social media cookies.

You may be able to adjust your cookies preferences and even remove and disallow cookies through your browser settings. While you may be able to adjust your browser settings to remove Necessary Cookies, these cookies are not optional if you wish to use the features of the website or services to which they relate. While the other cookies identified above are optional, we recommend their use in order to provide certain direct or indirect benefits to you (e.g., the efficiency of use and improvement of our site or services).

Paylocity: We accept applications through a third party service provider, Paylocity. The Paylocity website uses cookies to enhance site navigation, analyze site usage, and assist in its marketing efforts. To learn more about Paylocity’s privacy practices, please visit https://www.paylocity.com/company/protecting-our-clients/privacy-center/.

Google Analytics: We use Google Analytics for the limited purpose(s) identified in Section III.C above. For information about how Google collects and processes data, please visit this link: www.google.com/policies/privacy/partners/ to the site "How Google uses information from sites or apps that use our services". See also the Google Analytics Opt-out Browser Add-on found at link: https://tools.google.com/dlpage/gaoptout. According to Google, the purpose of this add-on is to provide website visitors the ability to prevent their data from being used by Google Analytics.

G. AGE RESTRICTIONS; CHILDREN UNDER THE AGE OF MAJORITY; NOTICE TO PARENTS AND LEGAL GUARDIANS

We do not market to or intend to solicit individuals under the age of majority in the jurisdiction where they reside, or obtain such information from our online activities in connection with Work Position Applicants. We do not knowingly collect or process any personal information of individuals under the age of majority in the jurisdiction where they reside in connection with Work Position Applicants.

We take children’s privacy seriously, and encourage parents to play an active role in their children’s online experience at all times. If you have reason to believe a child under the age of 13 has provided us with any personal information, please contact our Privacy Officer (see Section IV of this Privacy Notice for contact details) and request that such information be deleted from our records.

H. THIRD PARTY SERVICES

Our website and/or services may contain links to third-party websites. If you access any third-party website links, you will leave our website and services. We do not control those third-party sites or their privacy practices, which may differ from our practices. We are not responsible for the privacy practices or content of linked third party sites.

We do not make any warranty or representation regarding, nor do we endorse, any such websites or the information or content appearing thereon or any of the products or services described therein, or the accuracy of the same. The personal information you choose to provide to or that is collected by these other parties is not covered by our Privacy Notice. We encourage you to review the privacy notices/policies of any third party before submitting your personal information. If you decide to access linked such websites, you do so at your own risk.

I. PROVISION OF COMMENTS

Our LinkedIn page, or other social media sites/pages where applicable, may contain features that allow you to disclose information and content, including personal information, via blogs, reviews, public profiles, and the like (collectively defined here as “Comments”). All Comments are provided by you voluntarily and at your sole discretion. Please note that Comments are public information and can be read, collected, and used by us, other users of such forums, and the general public. Comments could be used by persons outside our Organization to send you unsolicited messages or for other purposes. We are not responsible for the personal information or other information or content you choose to submit in Comments.

J. HOW WE PROTECT PERSONAL INFORMATION WE COLLECT

We have put in place security measures intended to protect the personal information we process. We take reasonable administrative, technical, and physical measures to safeguard against unauthorized access to, use, alteration, destruction, disclosure and transfer of, and accidental loss, alteration, and destruction, of the personal information we process.

Unfortunately, no data transmission over the Internet or method of storage can be guaranteed to be 100% secure. As a result, while we strive to protect your personal information, we cannot ensure or guaranty the security of any personal information. Any personal information you transmit to us is at your own risk.

K. OPT-OUT/UNSUBSCRIBE

If you sign up/subscribe to our newsletter(s) or other publications (if any) and you no longer wish to receive the same, you may unsubscribe by using the opt-out/unsubscribe link located within each newsletter or other publication. If you do not wish to receive information or other material from us other than newsletter(s) or publications, you may "opt-out" of receiving these communications by using the opt-out/unsubscribe link located within each communication.

IV. YOUR RIGHTS WITH REGARD TO YOUR PERSONAL INFORMATION THAT WE PROCESS

Various personal information privacy laws, both in the United States (including a number of state privacy laws), and abroad, provide certain rights to data subjects. The rights covered under a particular law vary by the jurisdiction and the specifics of the law. We have included supplemental information in Section VII of this Privacy Notice addressing your rights under the laws of specific jurisdictions. Below is a list of data subject rights that may be recognized under various privacy laws. The laws vary as to what rights they cover. In addition to any jurisdictional supplement to this Privacy Notice under Section VII, if you believe you may have a right to, and would like to, exercise any of the potential rights below, please contact our Privacy Officer in one of the manners set forth at the end of this Section and we will address your request(s) in accordance with applicable law. Please note that none of the rights might apply to you, and even where they do there might be exceptions to or limitations on our obligation to comply with your requests.

Your rights may include some or all of the following:

Some browsers allow you to automatically notify websites you visit not to track you, by using a "Do Not Track" signal. There is no consensus among industry participants as to what "Do Not Track" means in this context. Like many websites and online services, we currently do not alter our practices when we receive a "Do Not Track" signal from a visitor's browser. We do not honor requests for or respond to Do Not Track signals/requests. To find out more about "Do Not Track," you may wish to visit www.allaboutdnt.com.

Our Privacy Officer contact information:

Mail: Privacy Officer, 1000 Elm Street, Manchester, NH, 03101

Email address: privacy@sheehan.com

Toll free telephone number: 800 625-7724

V. INTERNATIONAL TRANSFER OF PERSONAL DATA

We are located in the United States of America (“USA”). If you communicate with us, utilize our services, including our website(s), and mobile applications (where applicable), or otherwise engage in transactions with us from a location outside the USA, your communications and transactions will result in transferring your personal information across international borders. While that personal information is primarily processed and stored in the USA, it also may be accessed, processed and stored in locations outside the USA, including locations that might not be in the country where you are located. For example, we disclose your personal information to our processors/service providers, who process and store your personal information where their operations are located, which could be outside of the country where you are located and/or outside the USA.

The USA and other countries where your personal information could be accessed, processed or stored may not have privacy and data protection laws and enforcement procedures equivalent to the laws of the country where you are located. Whenever we transfer your information, we take steps to protect it as described in this Privacy Notice.

VI. CHANGES TO PRIVACY NOTICE

We may change our Privacy Notice at any time. Changes to our Privacy Notice will be effective when posted and the new effective date will be identified. You should review the Privacy Notice from time to time to check for changes.

VII. JURISDICTION-SPECIFIC INFORMATION

This Section provides additional information regarding our privacy practices as to the personal information of data subjects protected by the laws of the jurisdictions identified in the Addendums below, and supplements the other provisions of this Privacy Notice. In the event of any inconsistency between the provisions of any Addendum in this Section VII and the provisions stated in the rest of this Privacy Notice, the provisions of the Addendum, to the extent applicable, will take precedence.

CALIFORNIA PRIVACY ADDENDUM

A comprehensive description of our online and offline personal information practices is set forth in the main body of our Privacy Notice to which this Addendum pertains. This Addendum addresses the rights of data subjects (or “you”) who are consumers under the California privacy laws set forth below, and how to exercise those rights.

California Shine the Light Act

Individual consumers who reside in California and have provided us with their personal information may request information about our disclosures of certain categories of personal information to third parties for their direct marketing purposes. Such requests must include your name, street address, city, state, and zip code. Requests may be sent by email or by mail to our Privacy Officer as set out in Section IV of the Privacy Notice. We reserve our right not to respond to requests submitted to addresses other than those specified. If we determine that the Act applies, within thirty days of receiving such a request, we will provide a list of the categories of personal information disclosed to third parties for their direct marketing purposes during the immediately preceding calendar year, along with the names and addresses of these third parties. This request may be made once per calendar year.

California Consumer Privacy Act (CCPA)

1. Notice at Collection of Personal Information

The purpose of the Notice at Collection is to provide consumers with timely notice, at or before the point of collection, about the categories of personal information to be collected from them, the purposes for which the personal information is collected or used, and whether that information is sold or shared, so that consumers have a tool to exercise meaningful control over the business’s use of their personal information. For example, upon receiving the Notice at Collection, the consumer can use the information in the notice as a tool to choose whether to engage with the business, or to direct the business not to sell or share their personal information and to limit the use and disclosure of their sensitive personal information.

Below are our Notice at Collection disclosures:

2. Privacy Notice Disclosures

Our primary Privacy Notice contains a comprehensive description of our online and offline information practices. As to the CCPA requirements specifically, the following applies:

3. Consumer Rights

The CCPA confers on consumers certain rights regarding their personal information, which includes all of the following:

4. How Consumers may exercise their rights under the CCPA
5. Verification of Requests

A. In order to verify the identity of consumers making requests to delete, to correct, or to know, whenever feasible, we will attempt to match the identifying information provided by the consumer to the personal information already maintained by us. We also may request information such as name, mailing address, email address, telephone number, and copies of documents showing your name and address (such as a utility bill). While we generally avoid asking for a copy of a government-issued ID, we may ask for it if necessary. We also may use a third-party identity verification service that complies with the CCPA.

B. We generally will avoid requesting additional information for verification purposes. If, however, we cannot verify your identity from information already maintained, we may request additional information, which shall only be used for verification, security, or fraud prevention. We will delete any new personal information collected for verification as soon as practical, except as required for record-keeping.

C. We will not require a fee for verification. We will not require a notarized affidavit unless we compensate you for the cost.

D. For requests to correct, we will make an effort to verify based on personal information that is not the subject of the request (e.g., if you contend we have the wrong address, we will not use that address for verification).

E. A request to know categories requires verification to a "reasonable degree of certainty" (matching at least two data points). A request to know specific pieces of personal information requires a "reasonably high degree of certainty" (matching at least three pieces of information plus a signed declaration under penalty of perjury).

F. A request to delete or correct may require a reasonable or reasonably high degree of certainty depending on the sensitivity of the information and the risk of harm.

G. We will deny a request to know specific pieces of information if we cannot verify your identity.

H. If there is no reasonable method to verify identity, we will state that in our response and explain why.

6. Authorized Agents

A. When a consumer uses an authorized agent to submit a request, we may require proof of signed permission. We may also require the consumer to verify their own identity directly or confirm the agent's permission. We may require a signed letter of authorization or a power of attorney.

B. Authorized agents must maintain reasonable security procedures and practices.

C. Authorized agents must not use a consumer’s personal information for any purpose other than fulfilling the request, verification, or fraud prevention.

7. No Sale or Sharing of Consumers’ Personal Information

We do not “sell” or “share” personal information of consumers as those terms are defined under the CCPA.

8. Sensitive Personal Information

We do not collect or process sensitive personal information for the purpose of inferring characteristics about consumers. We process sensitive personal information only to perform our services in specific matters. We do not use or disclose sensitive personal information for purposes other than those specified in section 7027, subsection (m) of the CCPA.

9. Minors

As a law firm, we may process certain personal information of our clients who are minors in connection with our representation. Where we do so, it is with the knowledge and consent of the parent(s) or legal guardian(s), or in appropriate cases, the minor (if at least 16). We also may process personal information of minors involved in disputes, pursuant to appropriate legal authority.

10. Contacting Us

If you have questions or concerns about our privacy policies, you may contact us using the methods identified in Section IV of our primary Privacy Notice.

11. Date Last Updated

The date our Privacy Notice was last updated is set out at the beginning of the primary Privacy Notice.

NEW HAMPSHIRE PRIVACY ADDENDUM (RSA 507-H)

A comprehensive description of our online and offline personal information practices is set forth in the main body of our Privacy Notice to which this Addendum pertains. This Addendum addresses the rights of data subjects (or “you”) who are consumers under New Hampshire’s privacy law, NH RSA 507-H, and how to exercise those rights.

New Hampshire Consumer Privacy Rights

Under NH RSA 507-H, subject to certain limitations and exemptions identified in the law, “consumers” (New Hampshire residents) whose personal information is processed by or on behalf of our Organization (the “controller”), have the right to:

Definitions

How to Exercise Your Rights

You may exercise your rights by contacting us through our toll-free number: 800 625-7724, or by emailing us at privacy@sheehan.com.

A consumer may designate an authorized agent to exercise the right to opt-out. Parents or legal guardians may exercise rights on behalf of a known child or individuals under guardianship.

Response Timeline

We will respond to requests without undue delay, but not later than 45 days after receipt. We may extend this by 45 additional days if necessary, provided we inform you within the initial period. If we decline action, we will justify the decision and provide instructions for appeal.

Information is provided free of charge once per 12-month period. For excessive or repetitive requests, we may charge a reasonable fee or decline to act.

Appeals

If we refuse to take action on your request, you may appeal by contacting us at AppealPrivacyIssue@sheehan.com. We will respond within 60 days. If the appeal is denied, we will provide information on how to contact the attorney general.

TEXAS CONSUMER DATA PROTECTION ACT ADDENDUM

A comprehensive description of our online and offline personal information practices is set forth in the main body of our Privacy Notice to which this Addendum pertains. This Addendum covers rights that you as a consumer (i.e., Texas resident) may have under the Texas Data Privacy and Security Act (TDPSA), and our obligations in relation thereto.

1. Data Subject Rights

(a) Subject to any exemptions, restrictions or limitations under the TDPSA, a consumer is entitled to exercise the consumer rights identified below at any time as set forth in Section 2 below, specifying the consumer rights the consumer wishes to exercise. With respect to the processing of personal data belonging to a known child, a parent or legal guardian of the child may exercise the consumer rights on behalf of the child.

(b) Subject to any exemptions, restrictions or limitations under the TCDPA, we will comply with an authenticated consumer request to exercise the right to:

2. How Texas consumers may submit Requests.

(a) Consumers may submit requests under section 1 above may exercise your request rights by contacting us through this toll free number: 800 625-7724, or by emailing us at privacy@sheehan.com. A consumer may designate another person to serve as the consumer ’s authorized agent and act on the consumer ’s behalf to opt out of the processing of the consumer personal data under Sections 541.051(b)(5)(A) (targeted advertising) and (B) (the sale of personal data).

(b) We will not require a consumer to create a new account to exercise the consumer's rights, but may require a consumer to use an existing account.

3. Our Responses to Data Subject Requests.

(a) Subject to any exemptions, restrictions or limitations under the TDPSA or as otherwise provided under the TDPSA, we will comply with a request submitted by a consumer to exercise the consumer's rights pursuant to Section 541.051 of the TDPSA as provided by that section.

(b) We will respond to the consumer request without undue delay no later than the 45th day after the date of receipt of the request. We may extend the response period once by an additional 45 days when reasonably necessary, taking into account the complexity and number of the consumer's requests, so long as we inform the consumer of the extension within the initial 45-day response period, together with the reason for the extension.

(c) If we decline to take action regarding the consumer's request, we will inform the consumer without undue delay, no later than the 45th day after the date of receipt of the request, of the justification for declining to take action and provide instructions on how to appeal the decision in accordance with Section 541.053 of the TDPSA.

(d) We will provide information in response to a consumer request free of charge, at least twice annually per consumer. If a request from a consumer is manifestly unfounded, excessive, or repetitive, we may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or may decline to act on the request. We bear the burden of demonstrating for purposes of this subsection that a request is manifestly unfounded, excessive, or repetitive.

(e) If we are unable to authenticate the request using commercially reasonable efforts, we are not required to comply with a consumer request submitted under Section 541.051 of the TDPSA and may request that the consumer provide additional information reasonably necessary to authenticate the consumer and the consumer's request.

(f) Where we have obtained personal data about a consumer from a source other than the consumer, we will be considered in compliance with a consumer's request to delete that personal data pursuant to Section 541.051(b)(3) of the TCDPA by:

4. Right to Appeal.

(a) A consumer may appeal our refusal to take action on a request within 30 days after the consumer's receipt of our decision by contacting us at AppealPrivacyIssue@sheehan.com, and stating the basis for the appeal.

(b) We will inform the consumer in writing of any action taken or not taken in response to an appeal under this section not later than the 60th day after the date of receipt of the appeal, including a written explanation of the reason or reasons for the decision.

(d) If we deny an appeal, the consumer may contact the attorney general to submit a complaint by using the online mechanism found here: https://consumerprotection.texasattorneygeneral.gov/consumercomplaintportal/s/.

5. Additional Notices.