Privacy Policy

1. Overview

Urbanix LLC ("we," "us," or "our") operates jonurbanski.com and related services. This Privacy Policy describes how we collect, use, and protect information from visitors to this website and from staff, contractors, and clients who receive communications from us, including SMS text message alerts.

By using this website or providing your contact information to us, you agree to the practices described in this policy.

2. Information We Collect

Information you provide directly

• Name and contact information (email address, phone number) submitted via contact forms or email
• Mobile phone numbers provided for SMS alert enrollment
• Professional information shared in the context of consulting engagements

Information collected automatically

• Browser type, device type, and operating system
• Pages visited and time spent on each page
• Referring URL and general geographic region (country/state level)
• This site does not use tracking cookies or third-party analytics beyond standard web server logs

3. SMS Text Message Alerts — Staff

Urbanix LLC may send SMS text message notifications to staff members, contractors, and authorized personnel who have provided a mobile phone number in connection with an active engagement or employment relationship. These messages may include:

• Project status updates and deadline reminders
• Operational alerts related to platforms or infrastructure we manage
• Meeting or scheduling notifications
• Time-sensitive communications related to client engagements

Re-enrollment

If you have opted out and wish to receive SMS alerts again, contact us at info@jonurbanski.com or reply START to a previous message from us.

4. How We Use Your Information

We use the information we collect to:

• Communicate with prospective and active clients about consulting services
• Send operational SMS alerts to staff and contractors as described above
• Respond to inquiries submitted via the contact section of this website
• Maintain records required for business operations and tax purposes
• Improve the content and functionality of this website

We do not sell, rent, or trade your personal information to third parties for marketing purposes.

5. Information Sharing

We do not sell or share your personal information with third parties except in the following limited circumstances:

• Service providers: We may share information with vendors who assist in delivering SMS messages or hosting services, under confidentiality obligations and only as necessary to provide those services.
• Legal requirements: We may disclose information if required by law, court order, or government authority.
• Business transfers: In the event of a merger, acquisition, or sale of Urbanix LLC, information may be transferred as part of that transaction.

6. Data Retention

We retain information only as long as necessary for the purpose it was collected and to comply with our legal obligations. Different categories of data have different retention periods:

Operational data (district employee & student records, sync state)

• Active staff & student records: while the district maintains the record in the source system, plus 30 days after deactivation.
• Connector credentials (encrypted): while the connector is active, plus 30 days after removal.
• Field mappings & workflow rules: for the term of the contract, plus 30 days post-termination.

Audit & compliance data

• Login attempts, change events, sync logs, clock punch audits: 7 years (Illinois Local Records Act minimum for K-12 fiscal/employment records).
• BIPA consent records: retained for the lifetime of the biometric data plus 3 years per 740 ILCS 14/15(a).
• Security incident records: 7 years.
• DPA / MSA contract records: contract term plus 7 years post-termination.

Biometric data (only if a district enables biometric features in DistrictClock™)

• Biometric identifier (fingerprint hash, facial geometry vector): destroyed within the earlier of (a) 3 years after the individual's last interaction with the district, or (b) 30 days after the individual's separation from the district, or (c) any shorter period agreed in writing with the district.
• Biometric consent record: retained at least as long as the biometric data plus 3 years afterward (independent of biometric destruction).

Communications

• Sent emails: 90 days. Marketing opt-in records: until withdrawn plus 1 year.
• Support tickets: 7 years.

Opt-out and consent-withdrawal requests are honored within 10 business days; the opt-out / withdrawal record is retained to ensure we do not inadvertently re-contact you. The full retention schedule by data class is published at systembridges.com/data-retention.

6A. Biometric Information (BIPA)

This section governs biometric identifiers and biometric information collected through DistrictClock™ in compliance with the Illinois Biometric Information Privacy Act (740 ILCS 14, "BIPA"). It applies regardless of whether your district has enabled biometric features.

Default posture

We do not collect biometric data by default. Districts can authenticate staff for clock-in/out using PIN, NFC badge, web password, or mobile login. No employee is ever required to use biometric authentication.

If a district enables biometrics

Only the following may be collected, and only with each individual's prior, written, informed consent:

• Fingerprint template — a mathematical hash; never the raw fingerprint image.
• Facial geometry vector — a mathematical hash; never the raw photo.

We do not collect voiceprints, retina or iris scans, DNA, hand or palm geometry, or raw biometric photographs/video.

Notice and consent

Before any biometric capture, the affected individual receives written disclosure of: the specific biometric collected, the purpose (time and attendance authentication), the retention period, the destruction schedule, the right to opt out and use a non-biometric alternative without penalty, and the prohibition on sale or third-party disclosure of the data. The individual must then sign an electronic consent before enrollment. The signed consent is recorded in our audit log with the individual's name, employee ID, date and time, IP and device, version of the disclosure, and a cryptographic hash of the consent text. A copy is delivered to the individual via email at the time of signing.

Storage & security

• Biometric data is encrypted at rest using AES-256 with a key managed in AWS KMS.
• Biometric data is transmitted only over TLS 1.2+ authenticated channels.
• Each district's biometric data is logically isolated from every other district.
• Biometric data is never shared with subprocessors or used to train AI/ML models.

Retention & destruction

Biometric identifiers are destroyed within the earlier of: (a) 3 years after the individual's last interaction with the district, (b) 30 days after the individual's separation from the district, or (c) any shorter period agreed in writing with the district. Destruction is performed via cryptographic erasure of the encryption key plus hard-delete of the operational record. Written certification of destruction is available to the district and the individual on request.

Disclosure prohibitions

SystemBridges will not sell, lease, trade, or otherwise profit from biometric data. We will not disclose biometric data to any third party without the individual's prior written consent or a valid subpoena/court order. We will not match biometric data across districts, use it for facial recognition outside of clock-in/out, or share it with subprocessors.

Withdrawing consent

You may withdraw biometric consent at any time by emailing privacy@systembridges.com from your district email. Within 10 business days, your biometric data will be destroyed and certified deleted; you continue using PIN/badge thereafter with no penalty.

Full BIPA policy: systembridges.com/bipa.

7. Security

We implement administrative, technical, and physical safeguards consistent with the SOC 2 Trust Services Criteria. Specifically:

• Encryption in transit: TLS 1.2 or higher for all connections.
• Encryption at rest: AES-256 for personally identifiable information and biometric data, with keys managed in AWS KMS.
• Access control: Role-based access; least-privilege defaults; multi-factor authentication for all administrative access.
• Audit logging: Immutable, append-only logs of access, configuration changes, and data exports, retained 7 years.
• Independent audit: SOC 2 Type I scheduled Q4 2026; Type II within 6 months thereafter.
• Annual third-party penetration testing beginning Q3 2026.
• Background checks for all staff with production access; immediate revocation upon departure.

For the full security and disaster recovery posture, see our API confidence-tier reference and contact us for the DR plan and incident response plan under NDA.

No method of transmission or storage is 100% secure, but we maintain defense-in-depth controls and a documented incident-response plan committing to district notification within 72 hours of discovery of any breach reasonably likely to involve district data.

8. Your Rights

Depending on your location, you may have the right to:

• Request access to the personal information we hold about you
• Request correction of inaccurate information
• Request deletion of your information (subject to our legal retention obligations)
• Opt out of SMS communications (see Section 3 above)

To exercise any of these rights, contact us using the information in Section 10 below.

9. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last Updated" date at the top of this page. Your continued use of this website or receipt of communications from us following any changes constitutes acceptance of the updated policy.

10. Contact Us

If you have questions about this Privacy Policy, wish to exercise your rights, or want to opt out of SMS alerts, contact us: