Product: 1sixty8 Manifold Operator: 1sixty8 media, inc., a Pennsylvania S corporation Version: 1.2 Effective Date: [DATE OF ADOPTION] Last Updated: [DATE OF ADOPTION]
Status: DRAFT for attorney review. This document was drafted by the founder with AI assistance. It is not legal advice. Do not publish or rely on any portion of this text until it has been reviewed and approved by counsel admitted to practice in Pennsylvania and familiar with U.S. SaaS privacy law.
This summary describes the key points of our Privacy Policy in plain language. It is provided for convenience. The formal sections that follow govern in the event of any conflict with this summary.
1sixty8 media, inc. ("1sixty8 media," "we," "us," or "our") is a Pennsylvania S corporation operating 1sixty8 Manifold, a cloud-based software platform for service businesses. Our principal address is:
1sixty8 media, inc. 273 Smith Road Kunkletown, PA 18058
This Privacy Policy explains how we collect, use, share, and protect personal information in connection with 1sixty8 Manifold (the "Service").
This policy covers two groups of people whose personal information we handle in different ways. The distinction matters because the law treats them differently, and so do we.
Group A: Shop staff and administrators. The owners, managers, installers, salespeople, and other employees of the businesses that subscribe to 1sixty8 Manifold. Group A members create accounts, sign in to the Service, and use it to run their business. We are the direct service provider for Group A, and we handle their personal information accordingly.
Group B: Your shop's customers and contacts. When a subscribing shop uses 1sixty8 Manifold to manage its own customers (for example, a driver whose vehicle is serviced), information about those end-customers is stored in our Service. Group B members do not sign in to 1sixty8 Manifold. In most U.S. state privacy laws, the shop is the "business" or "controller" of Group B data, and we act as a "service provider" or "processor."
Throughout this policy, we flag which sections apply to which group.
This policy does not cover the websites or services of any third parties, including the shop's own website, payment processors, or other services that may be linked to or integrated with 1sixty8 Manifold.
When a Group A member creates an account or uses 1sixty8 Manifold, we collect:
On behalf of each subscribing shop, we store:
We also collect information about the business as an entity:
This information is primarily about a business rather than an individual, but because sole proprietors and small businesses are often identified by personal names and contact details, we treat this information with the same care as individual personal information.
Regardless of Group, when any user interacts with 1sixty8 Manifold, our servers automatically collect:
For clarity, 1sixty8 Manifold does not collect, process, or store:
We use personal information only for the purposes set out below. We do not use personal information for our own marketing, we do not sell personal information, and we do not share personal information for cross-context behavioral advertising.
We use the information in Sections 3.1 through 3.4 to:
We also use information for the following purposes, each strictly limited to what is necessary:
Consistent with our trust-first posture, we do not:
If we ever introduce an optional program that would change any of the items above (for example, an opt-in benchmarking program or an opt-in AI-training contribution program), we will introduce it as an explicit opt-in with a version bump to this policy. Your existing data will not be included in such a program unless you opt in.
We use a small number of carefully selected third-party service providers ("subprocessors") to help operate 1sixty8 Manifold. Each subprocessor is bound by contract to process personal information only as needed to provide services to us and only in accordance with our instructions.
A current list of subprocessors, along with the purpose, data categories, and region of processing for each, is published at:
https://shop.1sixty8.com/legal/subprocessors
Change notifications. We will provide at least thirty (30) days' advance notice before adding a new subprocessor or materially changing an existing subprocessor's role. During that notice period, a customer who objects to the change may terminate the affected subscription and receive a pro-rata refund of prepaid fees for the unused portion of the subscription term.
We may disclose personal information if required to do so in response to a subpoena, court order, or other legal process, or to comply with applicable law. Where we reasonably can, and where it is lawful to do so, we will notify the affected customer before we disclose information so the customer has an opportunity to object.
If 1sixty8 media, inc. is involved in a merger, acquisition, reorganization, or sale of all or substantially all of its assets, personal information may be transferred as part of that transaction. We will use reasonable efforts to notify affected customers in advance and to require the successor to honor this policy (or provide equivalent protections) going forward.
We may share or transfer personal information at the direction of the shop (for Group A data) or at the direction of the shop on behalf of its end-customers (for Group B data). For example, when a shop configures an integration or initiates an export.
We may share aggregated or de-identified information that cannot reasonably be used to identify any individual. For example, we may publish industry benchmarks or use aggregated metrics in marketing material. We do not re-identify this information and we take commercially reasonable steps to prevent re-identification.
Personal information is stored and processed in the United States. We do not currently transfer personal information outside the United States for storage or meaningful processing.
Some subprocessors operate global edge networks (for example, content delivery, DNS resolution, or bot-protection challenges) that may route network traffic through non-U.S. points of presence for performance reasons. Meaningful processing of personal information remains in the United States.
If we ever add a subprocessor or a processing activity that changes the regional footprint of personal information, we will update this policy and provide the thirty-day notice described in Section 5.1.
We keep personal information only as long as we need it to provide the Service or for the limited additional purposes described below.
We retain account data and the shop's records for as long as the shop's subscription is active, subject to any in-product deletions the shop performs.
Upon cancellation or termination of a subscription:
When an authorized user inside the Service deletes an individual record (for example, a customer, vehicle, or invoice), that record is soft-deleted and may be recovered from a "trash" view for thirty days. After thirty days, the record is hard-deleted.
Operational backups containing personal information are purged within thirty days on a rolling basis. A record that has been hard-deleted as described above will no longer appear in any live or backup copy within thirty days.
Security audit logs (login, PIN swap, lockout, terminal trust events, and related entries) are retained for twelve months from the event date. These logs are kept for fraud detection, incident investigation, and compliance purposes.
Aggregated or de-identified information that cannot reasonably be used to identify an individual may be retained indefinitely.
Where applicable law requires us to retain certain records longer (for example, tax or accounting records), we will retain those records for the legally required period and no longer than reasonably necessary after that period ends.
We use administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, disclosure, alteration, and destruction. Safeguards include:
Secure, HttpOnly, and SameSite=Lax, bound to a configurable idle lifetime, and regenerated after key authentication events.No safeguard is perfect. Section 9 describes what happens if one fails.
If we become aware of a security incident that has resulted, or that is likely to result, in unauthorized access to personal information, we will notify affected customers without undue delay, and in any event no later than seventy-two (72) hours after becoming aware of the incident.
The notification will describe, to the extent then known:
Depending on where you live, you may have rights with respect to your personal information. We honor the rights described below for all individuals whose personal information we directly hold, regardless of jurisdiction, subject to the exceptions set out in this section.
Some rights are provided by applicable law conditionally. We make the following declarations so that the conditions resolve cleanly:
Group A (shop staff). Requests from a Group A member about the Group A member's own personal information are handled by us directly. Submit the request as described in Section 10.4. We will authenticate you before acting on the request.
Group B (shop's end-customers). If you are a customer of a shop that uses 1sixty8 Manifold, we are a service provider to that shop. The shop is the primary decision-maker for your personal information. If you contact us directly, we will forward your request to the shop without undue delay and confirm to you that we have done so. The shop will then process your request using the in-product tools we provide for that purpose. If you are not sure which shop holds your information, we will do our best to help you identify it.
Send your request to privacy@1sixty8.com. Include enough information for us to identify you and the shop (if applicable). We may ask you to verify your identity before acting on certain requests; the verification method will be proportionate to the sensitivity of the request.
You may also authorize an agent to submit a request on your behalf. We will require written proof of the agent's authority and may, where the law permits, also verify your identity directly.
We will respond to a valid request within forty-five (45) days of receipt. If we need more time due to the complexity or number of requests, we may extend the response period once by up to an additional forty-five days and will notify you of the extension within the initial response period.
If we decline your request in whole or in part, we will explain why and inform you of your right to appeal. To appeal, reply to the response notice or email privacy@1sixty8.com with the word "Appeal" in the subject line. We will complete the appeal within a reasonable time and inform you of the outcome. If you remain dissatisfied, you may contact the attorney general of your state.
We may retain certain information after a deletion request for the limited purposes and limited duration required to:
When we retain information under an exception, we retain only the minimum necessary for the exception's purpose, and we delete it when the exception no longer applies.
If you are a California resident, the following additional disclosures apply under the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA"):
To exercise California rights, submit a verifiable consumer request as described in Section 10.4.
The Service uses cookies and limited browser storage as described below. We do not use cookies for advertising or analytics.
pos_session (or an equivalent name configured for the deployment). First-party. Strictly necessary for authentication. Flags: Secure, HttpOnly, SameSite=Lax. Lifetime configurable per deployment; typically one hour of idle inactivity.The Service uses localStorage in limited circumstances for user-interface state (for example, the last-chosen size of an assistant panel) and for in-progress work recovery (for example, recovering a physical-inventory scan that was interrupted). These entries are first-party and contain no identifiers.
Our Service does not currently respond to "Do Not Track" browser signals because there is no consensus standard for how a service provider should respond. We honor Global Privacy Control signals as described in Section 10.2.
This section describes how we collect, use, store, and share data we receive from Google APIs in connection with the Reviews module's Google Business Profile integration. It is included to satisfy Google's transparency requirements for restricted-scope OAuth applications and is in addition to (not in place of) the rest of this Privacy Policy.
1sixty8 Manifold uses Google API Services to integrate Google Business Profile reviews into the Reviews module. The Service's use and transfer of information received from Google APIs to any other app adheres to the Google API Services User Data Policy, including the Limited Use requirements.
Scopes used. When a Customer connects a Google Business Profile account, the Service requests the following OAuth scope: https://www.googleapis.com/auth/business.manage. This scope grants the Service permission to read and reply to reviews of the Customer's verified Business Profile listing on the Customer's behalf.
Google data we access and store. Review content, star ratings, reviewer display name, reviewer profile photo URL, reply content, reply timestamps, the Customer's Business Profile account and location identifiers, and the Customer-authorized OAuth refresh and access tokens. OAuth tokens are encrypted at rest as described in Section 8.
How we use Google data. We use Google data solely to provide the Reviews module's user-facing features: display the Customer's reviews, allow authorized staff to compose and post replies, send push notifications about new reviews to staff who opt in, and surface aggregate review metrics in the Customer's dashboard.
What we do not do with Google data. We do not transfer Google data to third parties except as necessary to provide or improve the user-facing features described above, comply with applicable law, or as part of a merger or acquisition with notice as described in Section 5.3. We do not use Google data for advertising, including retargeting, personalized advertising, or interest-based advertising. We do not allow humans to read Google data except (a) with the Customer's affirmative consent for specific items, (b) as necessary for security purposes including investigation of abuse, (c) to comply with applicable law, or (d) where the data has been aggregated and anonymized for internal operations. We do not use Google data to train, improve, or develop generalized AI or machine-learning models.
Retention and disconnect. When a Customer disconnects the Google integration from /reviews/settings, we revoke the OAuth refresh and access tokens with Google and delete them from our database. Review content and replies that were ingested while the integration was active remain in the Customer's account and are deleted on the cancellation timeline described in Section 7.2 unless the Customer requests earlier deletion.
1sixty8 Manifold is not directed to children. We do not knowingly collect personal information from anyone under the age of thirteen, and we do not sell or share personal information of anyone under the age of sixteen without affirmative consent.
If you believe we have collected information from a child under thirteen, please contact privacy@1sixty8.com. We will delete the information promptly upon verification.
We may update this Privacy Policy from time to time.
The version number and effective date appear at the top of this document. The full history of changes is at the bottom (Section 18).
For any question about this policy, to exercise a right described in Section 10, or to report a suspected privacy incident, contact:
1sixty8 media, inc. Attn: Privacy 273 Smith Road Kunkletown, PA 18058 Email: privacy@1sixty8.com
The same email address is the designated contact for inbound breach notifications from any subprocessor that is obligated to notify us of a security incident.
This policy is governed by the laws of the Commonwealth of Pennsylvania, without regard to its conflict-of-laws principles. Nothing in this section limits any right you may have under the law of the state in which you reside.
| Version | Date | Summary of Change |
|---|---|---|
| 1.0 | [DATE] | Initial policy published. |
| 1.1 | [DATE] | Clarifying edit before adoption: Section 3.2 and Section 4.1 extended to identify Facebook Messenger and Instagram direct messages as communication channels through which Group B message content is sent, received, and stored. No change to data-handling commitments; this edit makes the pre-existing Meta messaging integration explicit alongside SMS, email, and chat-widget conversations. |
| 1.2 | [DATE] | Added new Section 13, "Google API Services User Data Policy," disclosing the business.manage OAuth scope, the Google Business Profile data accessed and stored, the Limited Use commitments, and the token revocation behavior on disconnect. Required for Google's restricted-scope OAuth verification of the Reviews module integration. Existing Sections 13 through 17 renumbered to 14 through 18; cross-references updated accordingly. |
Before publishing this policy:
[DATE OF ADOPTION] placeholders replaced with the effective date.privacy@1sixty8.com provisioned and routed to founder (or privacy-designated recipient).1.0./legal/subprocessors page confirmed accurate and linked from this policy.docs/cookie_audit.md reconciled with Section 12 of this policy.3_Final/ with a version number in the filename.End of DRAFT for Attorney Review.