Skip to main content
Licensed, Bonded, & Insured | HIC# 13VH13373800

Privacy Policy

Last Updated: November 12, 2025 Version: 2.0

1. Introduction

lavacagc.com ("Company," "we," "us," or "our"), a New Jersey home improvement contractor (NJHIC# #13VH13373800), respects your privacy and is committed to protecting your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website lavacagc.com (the "Website") or use our services.

By using our Website, you acknowledge that you have read and understood this Privacy Policy. Where required by applicable law, we will obtain your specific, informed consent for certain data processing activities. Our legal basis for processing your information varies depending on the purpose and your jurisdiction, as detailed in this Privacy Policy.

If you do not agree with this Privacy Policy, please do not use our Website.

2. Definitions

For purposes of this Privacy Policy:

  • "Personal Information" or "Personal Data" means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. This includes the categories of information described in Section 3.1-3.3.

  • "Sensitive Personal Information" means personal information that reveals specific sensitive attributes or characteristics, including financial account information combined with security codes, government-issued identifiers, precise geolocation, and other categories defined by applicable privacy laws.

  • "Consumer," "You," "Your" means a natural person who is a New Jersey, California, or other U.S. state resident, or an EU/EEA data subject, whose personal information we collect.

  • "Controller" means the entity that determines the purposes and means of processing personal data (i.e., lavacagc.com).

  • "Processor" or "Service Provider" means an entity that processes personal data on behalf of the controller.

  • "Processing" means any operation performed on personal data, including collection, use, storage, disclosure, transfer, or deletion.

  • "Sale" means providing personal information to a third party in exchange for monetary or other valuable consideration (as defined by CCPA/CPRA).

  • "Sharing" means providing personal information to a third party for cross-context behavioral advertising (as defined by CCPA/CPRA).

  • "Targeted Advertising" means displaying advertisements selected based on personal information obtained from a consumer's activities over time and across nonaffiliated websites or online applications.

3. Information We Collect

We collect several types of information from and about users of our Website, including:

3.1 Personal Information You Provide

When you interact with our Website, you may voluntarily provide us with personally identifiable information, including but not limited to:

  • Name: Your first and last name
  • Email Address: Your email address for communication purposes
  • Phone Number: Your contact phone number
  • Mailing Address: Your physical address for service delivery
  • Project Details: Information about your contracting needs, property details, and project requirements
  • Payment Information: When you make an online payment for services, our third-party payment processor (not lavacagc.com) collects your credit card number, expiration date, CVV code, and billing address. We do not store complete credit card numbers or CVV codes on our systems. We retain only:
    • The last four digits of your credit card number for reference
    • Transaction amounts, dates, and invoice numbers
    • Billing address for invoicing purposes

Note: Payment card information is Sensitive Personal Information under California law and Sensitive Data under New Jersey law. Our payment processor maintains PCI-DSS (Payment Card Industry Data Security Standard) compliance and implements appropriate security measures.

  • Communication Content: Any information you include in messages, inquiries, or communications with us

3.2 Automatically Collected Information

When you visit our Website, we automatically collect certain information about your device and browsing behavior, including:

  • Device Information: IP address, browser type and version, operating system, device type
  • Usage Information: Pages visited, time spent on pages, links clicked, referring/exit pages
  • Location Information: General geographic location based on IP address (not precise geolocation)
  • Cookies and Similar Technologies: Information collected through cookies, web beacons, and similar tracking technologies

3.3 Information from Third Parties

We may receive information about you from third-party services, including:

  • Analytics providers (e.g., Google Analytics)
  • Advertising networks (e.g., Google Ads, Facebook Pixel)
  • Payment processors
  • Social media platforms

4. How We Use Your Information

We use the information we collect for various purposes, including:

4.1 Service Delivery

  • Processing service inquiries and requests
  • Providing estimates and quotes
  • Scheduling and delivering contracting services
  • Communicating about your projects and service status
  • Processing payments and managing billing

Legal Basis (for EU/EEA visitors): Contractual necessity, legitimate interests

4.2 Marketing and Communications

  • Sending promotional emails, newsletters, and marketing materials with your consent or as permitted by law
  • Informing you about new services, special offers, and updates
  • Conducting customer surveys and gathering feedback
  • Building and maintaining customer relationships

Your Control Over Marketing Communications:

You can opt out of marketing communications at any time by:

  • Clicking the "unsubscribe" link in any marketing email
  • Contacting us at alex@lavacagc.com with subject line "Opt Out of Marketing"

Note: Even if you opt out of marketing communications, we will still send you transactional and service-related communications (e.g., appointment confirmations, payment receipts, important service updates) as necessary to provide our services.

Legal Basis (for EU/EEA visitors): Consent, legitimate interests

4.3 Analytics and Improvement

  • Analyzing website usage and user behavior to improve our Website
  • Understanding customer preferences and trends
  • Enhancing website functionality and user experience
  • Analyzing business performance to optimize our services

Legal Basis (for EU/EEA visitors): Legitimate interests

4.4 Legal and Security

  • Complying with legal obligations and regulations
  • Protecting against fraud, unauthorized transactions, and other illegal activities
  • Enforcing our Terms and Conditions
  • Defending legal rights and claims
  • Ensuring website security and integrity

Legal Basis (for EU/EEA visitors): Legal obligation, legitimate interests

4.5 Business Operations

  • Managing customer accounts and records
  • Maintaining business records and documentation
  • Facilitating internal business operations
  • Training staff and quality assurance

Legal Basis (for EU/EEA visitors): Legitimate interests, legal obligation

5. How We Share Your Information

We may share your information with third parties in the following circumstances:

5.1 Service Providers and Data Processing Agreements

We share information with third-party service providers who perform services on our behalf under written contracts that:

  • Prohibit them from using your information for purposes other than providing services to us
  • Require them to implement appropriate security measures
  • Restrict them from selling or sharing your information
  • Require compliance with applicable privacy laws
  • Provide for our right to audit their data protection practices

These service providers include:

  • Payment Processors: For processing credit card and online payments such as QuickBooks Payments
  • Hosting Providers: For website hosting and data storage
  • Email Service Providers: For sending emails and newsletters
  • Customer Relationship Management (CRM) Systems: For managing customer data
  • Cloud Storage Services: For data backup and storage

We conduct due diligence on our service providers' privacy and security practices before engaging them and periodically review their compliance.

5.2 Analytics and Advertising Partners

We share information with analytics and advertising partners for the purposes of:

  • Analyzing website traffic and user behavior
  • Measuring advertising campaign effectiveness
  • Delivering targeted advertisements to you on other websites and platforms (retargeting)
  • Understanding how users find and interact with our Website

Partners We Work With:

Information Shared with These Partners:

  • Device identifiers and IP addresses
  • Browsing behavior on our Website (pages viewed, links clicked, time spent)
  • General geographic location (based on IP address - not precise geolocation)
  • Inferences about your interests based on your interactions

How These Partners Use Cookies:

These partners may place cookies and similar tracking technologies on your device through our Website. They may combine information collected from our Website with information from other websites you visit to create profiles for targeted advertising purposes.

"Sharing" Under California Privacy Law:

Under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), providing information to these advertising partners constitutes "sharing" of personal information for cross-context behavioral advertising. You have the right to opt out of this sharing. See Section 8.5 for how to opt out.

Opt-Out of Targeted Advertising:

To opt out of targeted advertising:

5.3 Legal Requirements

We may disclose your information when required by law or when we believe disclosure is necessary to:

  • Comply with legal process, court orders, or government requests
  • Enforce our Terms and Conditions
  • Protect our rights, property, or safety, or those of others
  • Investigate or prevent illegal activities or fraud
  • Respond to emergency situations

5.4 Business Transfers

Transfer in Connection with Business Transactions:

If lavacagc.com is involved in a merger, acquisition, financing, reorganization, bankruptcy, receivership, sale of assets, or other business transaction, your personal information may be transferred, sold, or assigned as part of that transaction.

Your Rights in a Business Transfer:

  • We will notify you via email (if we have your email address) and/or by posting a prominent notice on our Website at least 30 days before any transfer of your personal information to a new entity
  • The notification will identify the acquiring entity and provide information about their privacy practices
  • If the acquiring entity intends to handle your personal information in a manner materially different from this Privacy Policy, you will be given the opportunity to opt out or delete your information before the transfer
  • Your rights under this Privacy Policy will continue until the acquiring entity provides you with notice of a new privacy policy

Due Diligence:

In the event of a business transfer, we will conduct reasonable due diligence to ensure the acquiring entity will provide at least the same level of privacy protection as described in this Privacy Policy, or we will notify you of any differences and provide you with opt-out rights.

5.5 With Your Consent

We may share your information for any other purpose with your explicit consent.

6. Cookies and Tracking Technologies

6.1 What Are Cookies?

Cookies are small text files placed on your device by websites you visit. They help websites remember information about your visit, making future visits easier and more useful.

6.2 How We Use Cookies

We use cookies and similar tracking technologies for:

  • Essential Cookies: Necessary for website functionality
  • Analytics Cookies: To understand how visitors use our Website
  • Marketing Cookies: To deliver targeted advertising and measure campaign effectiveness
  • Preference Cookies: To remember your settings and preferences

6.3 Third-Party Cookies

Third-party partners like Google Analytics and advertising networks may also place cookies on your device through our Website.

6.4 Managing Cookies

Most web browsers allow you to control cookies through their settings. You can:

  • Delete existing cookies
  • Block cookies from being set
  • Receive notifications when cookies are being sent

Note: Disabling cookies may affect your ability to use certain features of our Website.

To opt out of Google Analytics, visit: https://tools.google.com/dlpage/gaoptout

6.5 Universal Opt-Out Mechanisms and Global Privacy Control (GPC)

We recognize and honor universal opt-out preference signals, including Global Privacy Control (GPC), which allow you to automatically communicate your privacy preferences across multiple websites.

What is Global Privacy Control (GPC)?

GPC is a browser setting that sends a signal to websites indicating you want to opt out of the sale or sharing of your personal information for targeted advertising. Many modern browsers and browser extensions support GPC.

How We Respond to GPC:

When we detect a GPC signal from your browser:

  • We will treat it as a valid request to opt out of the sale or sharing of your personal information for targeted advertising purposes
  • We will stop sharing your data with advertising partners (Google Ads, Facebook Pixel) for cross-context behavioral advertising
  • We will apply the opt-out within 15 business days of detecting the signal
  • The opt-out will apply to the specific browser/device sending the signal

How to Enable GPC:

To enable Global Privacy Control:

  1. Use a browser that supports GPC (such as Brave, DuckDuckGo, Firefox with privacy extensions)
  2. Install a browser extension that enables GPC (such as OptMeowt, Privacy Badger)
  3. Enable the GPC setting in your browser preferences

For more information about GPC and how to enable it, visit: https://globalprivacycontrol.org/

Limitations:

  • GPC applies only to the browser/device from which the signal is sent
  • If you use multiple browsers or devices, you'll need to enable GPC on each one
  • GPC does not delete data we have already collected; to request deletion, see Section 8.3
  • GPC does not opt you out of essential cookies necessary for website functionality

Required by Law:

We are required to recognize and honor GPC signals under:

  • California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
  • New Jersey Data Protection Act (NJDPA), effective July 15, 2025
  • Other applicable state privacy laws

6.6 Specific Cookies We Use

Essential Cookies (cannot be disabled without affecting website functionality):

Cookie NamePurposeDuration
cookie_consentRemembers your cookie consent preferences12 months
session_idMaintains your session while browsing our WebsiteSession (deleted when browser closes)
security_tokenPrevents cross-site request forgery (CSRF) attacksSession

Analytics Cookies (can be disabled via cookie settings):

Cookie NameProviderPurposeDuration
_gaGoogle AnalyticsDistinguishes users for analytics2 years
_gidGoogle AnalyticsDistinguishes users for analytics24 hours
_gatGoogle AnalyticsThrottles request rate1 minute

Marketing/Advertising Cookies (can be disabled via cookie settings or opt-out links):

Cookie NameProviderPurposeDuration
gcl*Google AdsTracks conversions from Google Ads90 days
frFacebook PixelDelivers advertising and measures effectiveness3 months
_fbpFacebook PixelIdentifies browser for advertising3 months

Managing Cookies:

You can manage your cookie preferences by adjusting your browser settings. Note that disabling cookies may affect website functionality.

Cookie Consent for EU Visitors:

If you are located in the EU/EEA, we will not place non-essential cookies on your device until you have given your consent via our cookie banner. Essential cookies necessary for website functionality will be placed automatically.

7. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes for which it was collected, to comply with our legal obligations, resolve disputes, enforce our agreements, and for other legitimate business purposes.

7.1 Retention Periods by Category

Category of InformationRetention PeriodReason for Retention
Contact Information (name, email, phone, address)Duration of business relationship + 7 years after last interactionTax and accounting compliance (IRS requires 7-year retention); contract statute of limitations (NJ: 6 years); warranty and liability purposes
Payment Transaction Records (amount, date, invoice number - NOT full credit card numbers)7 years after transactionTax and accounting compliance; fraud prevention; dispute resolution
Credit Card InformationNOT retained by us; processed and stored by third-party payment processor onlyWe do not store complete credit card numbers or CVV codes
Project Details and Service RecordsDuration of business relationship + 10 yearsConstruction defect statutes of limitations (NJ: 10 years for some construction claims); warranty obligations; liability defense
Communication Content (emails, messages, inquiries)Duration of business relationship + 7 yearsContract enforcement; dispute resolution; quality assurance; customer service
Website Usage Data and Analytics (IP address, browsing behavior, device information)26 monthsWebsite improvement; analytics (aligned with Google Analytics default); user experience optimization
Marketing Communications RecordsUntil you opt out + 30 days to process opt-out, then deletedDirect marketing; compliance with opt-out requests
Cookies and Tracking TechnologiesVaries by cookie type: Essential (session); Analytics (26 months); Marketing (13 months)See Section 6 for cookie-specific retention

7.2 Retention Determination Methodology

For categories not listed above, we determine retention periods based on:

  1. The purpose for which the information was collected
  2. Legal, regulatory, tax, accounting, and audit requirements (including NJ and federal record-keeping laws)
  3. Statute of limitations for potential legal claims (NJ contract statute of limitations: 6 years; construction defect claims: up to 10 years)
  4. Industry best practices for construction and contracting businesses
  5. Our legitimate business interests (customer service, quality assurance, dispute resolution)

7.3 Secure Deletion

When personal information reaches the end of its retention period and is no longer required for any legal, regulatory, or legitimate business purpose, we securely delete or anonymize it using industry-standard methods, including:

  • Permanent deletion from active systems and backups
  • Overwriting of storage media for sensitive information
  • Anonymization (removing identifying information so data cannot be linked back to you)

7.4 Exceptions to Deletion

Even after the retention periods listed above, we may retain certain information if:

  • Required by Law: Tax records, employment records, records related to pending litigation, regulatory requirements
  • Legitimate Legal Purposes: Defending against legal claims within the applicable statute of limitations; complying with preservation obligations; enforcing our rights under contracts or law
  • De-identified/Anonymized: Information that has been irreversibly de-identified or anonymized may be retained indefinitely for analytics and research, as it can no longer identify you
  • Backup Systems: Information may persist in backup or disaster recovery systems for up to 90 days after deletion from active systems, after which backups are overwritten

7.5 User-Requested Deletion

If you request deletion of your personal information (as described in Section 8.3), we will delete or anonymize your information in accordance with applicable law, subject to the exceptions noted above. We will respond to your deletion request within the timeframes required by applicable law (45 days for CCPA/CPRA and NJDPA; 30 days for GDPR).

After deletion, you may no longer be able to access certain services or features, and we may not be able to provide you with quotes, services, or customer support related to past projects.

7.6 Questions About Retention

If you have questions about how long we retain your information or wish to request information about our retention practices for your specific data, please contact us using the information in Section 14.

8. Your Privacy Rights

Depending on your location, you may have certain rights regarding your personal information:

8.1 Access and Portability

You have the right to request access to the personal information we hold about you and to receive a copy of that information in a portable, readily usable format.

8.2 Correction

You have the right to request correction of inaccurate or incomplete personal information.

8.3 Deletion

You have the right to request deletion of your personal information, subject to certain legal exceptions.

8.4 Opt-Out of Marketing

You have the right to opt out of receiving marketing communications from us. You can unsubscribe by:

  • Clicking the "unsubscribe" link in marketing emails
  • Contacting us directly at alex@lavacagc.com with subject "Opt Out of Marketing"

8.5 Do Not Sell or Share My Personal Information (California Residents)

If you are a California resident, you have the right to opt out of the "sale" or "sharing" of your personal information under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).

What Constitutes "Sale" or "Sharing":

We do not sell your personal information for monetary payment. However, we "share" your personal information with advertising partners (Google Ads, Facebook Pixel) for cross-context behavioral advertising (also known as targeted advertising or interest-based advertising). Under CCPA/CPRA, this sharing for advertising purposes is considered "sharing" of personal information.

Information That May Be Shared:

  • Device identifiers and IP addresses
  • Browsing behavior and website interactions
  • General geographic location based on IP address
  • Inferences about your interests and preferences

How to Opt-Out:

You can opt out of the sharing of your personal information by:

  1. Visiting our opt-out form: https://lavacagc.com/do-not-sell to submit a "Do Not Sell or Share My Personal Information" request
  2. Using Global Privacy Control (GPC): We automatically recognize and honor opt-out preference signals sent through your browser, including Global Privacy Control. To enable GPC, install a browser extension or use a browser that supports GPC.
  3. Contacting us: Email, call, or mail us using the contact information in Section 14

Effect of Opting Out:

If you opt out, we will stop sharing your information with advertising partners for targeted advertising purposes. You may still see advertisements from us, but they will not be targeted based on your browsing behavior across websites.

Opting out will not affect:

  • Analytics that do not involve cross-site tracking (e.g., understanding how visitors use our Website in aggregate)
  • Essential website functionality
  • Service delivery and customer support
  • Our ability to provide you with quotes and contracting services

We Will Not Discriminate Against You:

We will not deny you services, charge you different prices, or provide you with a different level of service quality because you exercised your right to opt-out.

Opt-Out Applies to This Browser/Device Only:

Your opt-out preference is specific to the browser and device you're using when you submit the request. If you use multiple browsers or devices, you'll need to opt out on each one.

Questions About Opt-Out:

If you have questions about your opt-out rights or need assistance with the opt-out process, please contact us at alex@lavacagc.com.

8.6 Exercising Your Rights

To exercise any of these rights, please contact us using the contact information provided in Section 14 below. We will respond to your request within the timeframe required by applicable law.

9. Children's Privacy

Children Under 13:

Our Website and services are not intended for children under the age of 13. We do not knowingly collect personal information from children under 13 in violation of the Children's Online Privacy Protection Act (COPPA). If we discover that we have inadvertently collected information from a child under 13 without proper parental consent, we will delete that information immediately.

Minors Ages 13-17:

Our services are generally intended for adults. If a minor between ages 13-17 uses our Website or provides information to us (e.g., a parent providing information about a minor who will be present during contracting work), we will handle that information in accordance with this Privacy Policy and applicable law.

Parental Rights:

If you are a parent or guardian and believe your child under 13 has provided us with personal information, please contact us immediately using the information in Section 14, and we will delete the information.

California Minors:

California minors (under age 18) have specific rights under California Business and Professions Code Section 22581 to request removal of content they posted. If you are a California minor and wish to request removal, contact us using the information in Section 14.

10. Data Security

We take the security of your personal information seriously and implement reasonable and appropriate administrative, technical, and physical security measures designed to protect your personal information from unauthorized access, use, disclosure, alteration, or destruction.

10.1 Our Security Measures Include:

Technical Safeguards:

  • Encryption: We use industry-standard encryption (TLS/SSL) to protect data transmitted between your browser and our servers
  • Secure Data Storage: Personal information stored on our systems is protected using encryption and access controls
  • Payment Security: Our payment processing partners maintain PCI-DSS (Payment Card Industry Data Security Standard) compliance. We do not store complete credit card numbers or CVV codes.
  • Firewalls and Intrusion Detection: Our systems are protected by firewalls and monitored for unauthorized access attempts
  • Secure Authentication: Access to systems containing personal information requires strong passwords and multi-factor authentication where appropriate

Administrative Safeguards:

  • Access Controls: Access to personal information is limited to employees, contractors, and service providers who need it to perform their job functions
  • Background Checks: Employees with access to personal information undergo background checks as appropriate
  • Data Protection Policies: We maintain written information security policies and procedures
  • Incident Response Plan: We have incident response and data breach notification procedures in place

Physical Safeguards:

  • Secure Facilities: Our physical offices and any on-premises servers are secured with appropriate physical access controls
  • Device Security: Company devices used to access personal information are password-protected and encrypted

Organizational Safeguards:

  • Employee Training: Employees receive regular training on data protection, privacy, and security best practices
  • Vendor Management: We conduct due diligence on service providers' security practices and require contractual security commitments
  • Regular Assessments: We periodically review and update our security measures to address new threats and vulnerabilities

10.2 Data Breach Notification

In the event of a data breach that compromises your personal information, we will:

  1. Investigate: Immediately investigate the nature and scope of the breach
  2. Contain: Take steps to contain the breach and prevent further unauthorized access
  3. Notify Authorities: Notify relevant regulatory authorities as required by law (within 72 hours for EU data subjects under GDPR)
  4. Notify You: Notify affected individuals without unreasonable delay, as required by applicable law, if the breach poses a risk of harm to you

What Our Notification Will Include:

  • Description of the breach and categories of data affected
  • Approximate date of the breach
  • Steps we are taking to address the breach
  • Recommendations for protecting yourself from potential harm
  • Contact information for questions

Your Rights Following a Breach:

  • California residents have a private right of action under CCPA for data breaches involving certain personal information
  • EU residents may file complaints with supervisory authorities and seek compensation under GDPR

Our Commitment:

We maintain incident response plans and procedures to respond rapidly and effectively to data security incidents.

10.3 Limitations on Security

While we implement robust security measures and strive to protect your personal information, no method of transmission over the Internet, mobile network, or electronic storage is completely secure. We cannot guarantee absolute security. However, if we become aware of a security breach that compromises your information, we will take appropriate steps to investigate and remediate the breach and will notify you as required by law.

10.4 Your Role in Security

You can help protect your information by:

  • Using strong, unique passwords for any accounts
  • Not sharing your account credentials with others
  • Being cautious about phishing emails or suspicious communications claiming to be from us
  • Contacting us immediately if you suspect unauthorized use of your information

11. Automated Decision-Making and Profiling

11.1 Automated Decision-Making

We do not make decisions that produce legal or similarly significant effects concerning you based solely on automated processing of your personal information, including profiling.

11.2 Profiling for Marketing

We may use your information to create inferences about your preferences and interests for marketing purposes (e.g., determining which services might interest you based on your project inquiries). However, these inferences do not result in legal or similarly significant effects.

11.3 Your Rights

  • California Residents: You have the right to opt out of profiling under CPRA (if it produces legal or similarly significant effects)
  • New Jersey Residents: You have the right to opt out of profiling in furtherance of decisions that produce legal or similarly significant effects
  • EU/EEA Residents: You have the right not to be subject to decisions based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you (GDPR Article 22)

To exercise these rights, contact us using the information in Section 14.

12. Third-Party Websites

Our Website may contain links to third-party websites, services, or applications that are not operated by us. This Privacy Policy does not apply to third-party websites. We are not responsible for the privacy practices of third parties.

We encourage you to review the privacy policies of any third-party websites you visit.

13. International Users and Data Transfers

U.S.-Based Operations:

Our Website is operated from the United States, and our business is headquartered in New Jersey, USA. If you are accessing our Website from outside the United States, please be aware that your information will be transferred to, stored, and processed in the United States.

Data Protection Laws May Differ:

Data protection laws in the United States may differ from those in your country of residence. The United States does not have an "adequacy decision" from the European Commission, meaning it is not deemed to provide an equivalent level of data protection as the EU/EEA.

For EU/EEA Visitors:

If you are located in the European Union or European Economic Area, we implement appropriate safeguards for the transfer of your personal data to the United States, as described in Section 16.3. These safeguards include:

  • Standard Contractual Clauses approved by the European Commission
  • Technical and organizational measures to protect your data
  • Limitations on onward transfers

You are not required to consent to international transfers; we rely on appropriate legal mechanisms (Standard Contractual Clauses and other safeguards) to ensure your data is protected when transferred.

For Visitors from Other Countries:

If you are located in a country other than the United States, EU/EEA, or countries listed in Section 16, please be aware that by using our Website, your information will be transferred to the United States. If you do not agree to this transfer, please do not use our Website.

Questions About International Transfers:

If you have questions about how we protect your information during international transfers, please contact us using the information in Section 14.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

lavacagc.com La Vaca General Contractors LLC NJHIC# #13VH13373800

51 Crestmont Rd West Orange, New Jersey 07052

Email: alex@lavacagc.com Phone: (201) 212-4917

For Privacy-Specific Inquiries and to Exercise Your Privacy Rights:

Email: alex@lavacagc.com Subject Line: "Privacy Request - [Your Request Type]" Phone: (201) 212-4917 (ask for Privacy Officer/Manager) Mail: Privacy Officer, 51 Crestmont Rd, West Orange, New Jersey 07052

California Residents - Do Not Sell or Share My Personal Information: Online Form: https://lavacagc.com/do-not-sell Email: alex@lavacagc.com with subject "Do Not Sell/Share Request"

New Jersey Residents - Exercise NJDPA Rights: Email: alex@lavacagc.com with subject "NJDPA Request"

EU/EEA Residents - Exercise GDPR Rights: Email: alex@lavacagc.com with subject "GDPR Request"

Response Time: We will respond to your inquiry within 10 business days to acknowledge receipt, and provide a substantive response within the timeframes required by applicable law (generally 30-45 days depending on your jurisdiction).

15. Changes to This Privacy Policy

We reserve the right to modify this Privacy Policy at any time to reflect changes in our data practices, legal requirements, or business operations.

15.1 How We Notify You of Changes

For All Changes:

  • We will update the "Last Updated" date at the top of this Privacy Policy
  • We will post the revised Privacy Policy on our Website at https://lavacagc.com/privacy

For Material Changes:

If we make material changes that significantly affect how we collect, use, or share your personal information, we will provide additional notice by:

  • Sending an email to the address you provided (if we have your email address)
  • Posting a prominent notice on our Website homepage for at least 30 days

15.2 What Constitutes "Material Changes"

Material changes include, but are not limited to:

  • Collecting new categories of sensitive or personal information
  • Using or sharing personal information for purposes significantly different from those previously disclosed
  • Increasing the retention period for personal information
  • Sharing personal information with new categories of third parties
  • Materially reducing your privacy rights or protections

15.3 Your Acceptance of Changes

Non-Material Changes: Your continued use of our Website after non-material changes are posted constitutes your acknowledgment of the updated Privacy Policy.

Material Changes:

  • If you are a California resident and the changes affect our use of your sensitive personal information, we will obtain your affirmative consent if required by law.
  • If you are an EU/EEA resident and the changes affect processing that requires consent as the legal basis, we will obtain your renewed consent.
  • For all other users, if you do not agree with material changes, you may discontinue using our Website and request deletion of your personal information as described in Section 8.3.

15.4 Reviewing the Privacy Policy

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information. You can check the "Last Updated" date at the top to see when the policy was last revised.

15.5 Notification of Past Versions

If you would like to review a previous version of this Privacy Policy, please contact us using the information in Section 14, and we will provide it to you if available.

16. Additional Information for Specific Jurisdictions

16.1 California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

Categories of Personal Information Collected:

  • Identifiers: Name, email address, phone number, mailing address, IP address, device identifiers
  • Commercial Information: Transaction history, service requests, payment records, project details
  • Internet or Network Activity: Browsing history, search history, interactions with our Website, pages visited, links clicked
  • Geolocation Data: General location based on IP address (not precise geolocation)
  • Inferences: Preferences, characteristics, trends, behavior patterns derived from your information

Sensitive Personal Information Collected:

We collect the following categories of sensitive personal information:

  • Financial Account Information: Credit card numbers, debit card numbers, or other financial account numbers, in combination with required security codes, access codes, or passwords that permit access to the account (collected when you make online payments for services)

Purpose for Collecting Sensitive Personal Information:

We use your financial account information solely for the following purposes:

  • Processing your payments for contracting services
  • Preventing fraud and unauthorized transactions
  • Maintaining transaction records for accounting and tax compliance
  • Fulfilling legal and regulatory obligations

We do NOT use or disclose sensitive personal information for purposes of inferring characteristics about you.

Right to Limit Use of Sensitive Personal Information:

You have the right to limit our use and disclosure of your sensitive personal information to only those uses necessary to perform the services or provide the goods you requested, or for specific enumerated business purposes permitted under California law.

However, because we only use your financial account information for the specific transaction purposes described above (processing payments you authorize), exercising this right will not change how we handle your sensitive personal information.

Business Purpose for Collection:

  • Service delivery and customer relationship management
  • Marketing and promotional communications
  • Website analytics and improvement
  • Legal compliance and security
  • Business operations and record-keeping

As detailed in Section 4 of this Privacy Policy.

Categories of Third Parties We Share Personal Information With:

  • Service providers and vendors (payment processors, hosting providers, email service providers, CRM systems, cloud storage)
  • Analytics and advertising partners (Google Analytics, Google Ads, Facebook Pixel)
  • Payment processors
  • Legal and regulatory authorities (when required by law)
  • Business transaction parties (in the event of merger, acquisition, or sale)

Sale and Sharing of Personal Information:

We "share" personal information with advertising partners (Google Ads, Facebook Pixel) for cross-context behavioral advertising purposes. Under CCPA/CPRA, this constitutes "sharing" of personal information. We do NOT sell personal information for monetary consideration.

Categories of Personal Information Sold or Shared:

In the preceding 12 months, we have shared the following categories of personal information for cross-context behavioral advertising:

  • Identifiers (IP address, device identifiers, cookie identifiers)
  • Internet or network activity (browsing behavior, pages visited)
  • Geolocation data (general location based on IP address)
  • Inferences (preferences and interests)

Categories of Third Parties to Whom Personal Information is Sold or Shared:

  • Advertising networks and platforms (Google Ads, Facebook/Meta)
  • Analytics providers that facilitate advertising (Google Analytics when linked to advertising features)

We do NOT sell or share sensitive personal information.

Data Retention by Category:

  • Contact Information (Name, Email, Phone, Address): Retained for the duration of the business relationship plus 7 years after the last interaction for tax, accounting, and legal compliance purposes
  • Payment Information: Credit card numbers are not stored by us; they are processed and stored by our third-party payment processor. Transaction records are retained for 7 years for accounting and tax compliance
  • Project Details and Communications: Retained for the duration of the business relationship plus 7 years for warranty, liability, and legal purposes
  • Website Usage Data and Analytics: Retained for 26 months (aligned with Google Analytics standard retention)
  • Marketing Communications Data: Retained until you opt out, plus 30 days to process the opt-out request
  • Device and IP Information: Retained for 12 months for security and fraud prevention

Your CCPA/CPRA Rights:

  1. Right to Know: You have the right to request that we disclose:

    • The categories of personal information we collected about you
    • The categories of sources from which we collected the information
    • The business or commercial purpose for collecting, selling, or sharing the information
    • The categories of third parties to whom we disclose the information
    • The specific pieces of personal information we collected about you

  2. Right to Delete: You have the right to request deletion of your personal information, subject to certain legal exceptions (e.g., completing transactions, detecting security incidents, complying with legal obligations, internal uses reasonably aligned with your expectations).

  3. Right to Correct: You have the right to request correction of inaccurate personal information we maintain about you.

  4. Right to Opt-Out of Sale/Sharing: You have the right to opt out of the "sale" or "sharing" of your personal information. We do not sell information for money, but we share information with advertising partners for targeted advertising, which qualifies as "sharing" under CPRA.

    To opt out: https://lavacagc.com/do-not-sell

  5. Right to Limit Use of Sensitive Personal Information: You have the right to limit our use and disclosure of sensitive personal information to only those uses necessary for performing services or providing goods you requested. As noted above, we only use financial information for authorized payment processing.

  6. Right to Non-Discrimination: You have the right not to receive discriminatory treatment for exercising your CCPA/CPRA rights. We will not:

    • Deny you goods or services
    • Charge different prices or rates for goods or services
    • Provide a different level or quality of goods or services
    • Suggest that you will receive a different price, rate, level, or quality of goods or services

  7. Right to Opt-Out via Universal Opt-Out Mechanism: We recognize and process opt-out preference signals sent through user-enabled global privacy controls, such as Global Privacy Control (GPC), as valid requests to opt out of the sale/sharing of your personal information.

How to Exercise Your Rights:

To exercise your Right to Know, Right to Delete, or Right to Correct:

  • Email: alex@lavacagc.com
  • Phone: (201) 212-4917
  • Mail: 51 Crestmont Rd, West Orange, New Jersey 07052

To exercise your Right to Opt-Out of Sale/Sharing:

Verification Process:

To protect your privacy and security, we will verify your identity before processing your request. We may ask you to:

  • Provide identifying information that matches information we have on file
  • Confirm details about your interactions with us or services requested
  • If you have an account, log in to verify your identity

You may designate an authorized agent to submit requests on your behalf. The agent must provide written authorization or power of attorney, and we may require you to verify your identity directly with us.

Response Timeline:

We will acknowledge receipt of your request within 10 business days and respond substantively within 45 days. If we need additional time (up to 90 days total), we will notify you of the extension and the reason within the initial 45-day period.

California Privacy Rights Act (CPRA) - Additional Disclosures:

Effective January 1, 2023, the CPRA provides additional protections:

  • Enhanced rights regarding sensitive personal information
  • Right to correction of inaccurate information
  • Expanded definition of "sharing" to include cross-context behavioral advertising
  • Requirement to honor universal opt-out mechanisms

Contact Information for Privacy Questions:

For California privacy-specific inquiries: Email: alex@lavacagc.com Phone: (201) 212-4917 Address: 51 Crestmont Rd, West Orange, New Jersey 07052

California "Shine the Light" Law:

California Civil Code Section 1798.83 permits California residents to request certain information about disclosure of personal information to third parties for direct marketing purposes. To make such a request, contact us using the information above.

16.2 New Jersey Residents (NJDPA)

Applicability: As a New Jersey-based business, we comply with the New Jersey Data Protection Act (NJDPA), effective January 15, 2025.

Data Minimization Commitment: We limit our collection of personal data to what is adequate, relevant, and reasonably necessary for the purposes disclosed to you in this Privacy Policy.

Sensitive Personal Information: Under NJDPA, certain categories of information are considered "sensitive," including financial information (account numbers, credit/debit card numbers with security codes). We process sensitive personal information only with your consent or as permitted by law.

Your NJDPA Rights:

  • Right to Confirm: Confirm whether we are processing your personal data
  • Right to Access: Obtain a copy of your personal data in a readily usable format
  • Right to Correct: Correct inaccuracies in your personal data
  • Right to Delete: Request deletion of your personal data (subject to legal exceptions)
  • Right to Opt-Out: Opt out of:
    • Targeted advertising
    • Sale of personal data
    • Profiling in furtherance of decisions that produce legal or similarly significant effects

Universal Opt-Out Mechanism: Effective July 15, 2025, we recognize user-selected universal opt-out mechanisms that communicate your opt-out preferences, such as Global Privacy Control (GPC). When we detect such a signal from your browser, we will treat it as a valid request to opt-out of the sale of personal data and targeted advertising.

Response Timeline: We will respond to your NJDPA rights requests within 45 days of receipt. If we need additional time (up to an additional 45 days), we will notify you of the extension and the reason for it.

No Retaliation: We will not discriminate against you for exercising your NJDPA rights, including by denying goods or services, charging different prices, or providing a different level of quality.

How to Exercise Your Rights: To exercise any of your NJDPA rights, please contact us using the information in Section 14. We may need to verify your identity before processing your request.

Appeals Process: If we deny your request, you have the right to appeal our decision. We will provide information about how to appeal in our response to your request.

16.3 European Union (GDPR)

If you are located in the European Union or European Economic Area, the General Data Protection Regulation (GDPR) applies to our processing of your personal data.

Legal Basis for Processing:

We process your personal data under the following legal bases:

  1. Contractual Necessity (GDPR Article 6(1)(b)): To provide the services you request from us, including:

    • Processing service inquiries and providing estimates
    • Delivering contracting services
    • Processing payments
    • Communicating about your project

  2. Legal Obligation (GDPR Article 6(1)(c)): To comply with legal requirements, including:

    • Tax and accounting record-keeping
    • Regulatory compliance for contracting licenses
    • Responding to lawful government requests

  3. Legitimate Interests (GDPR Article 6(1)(f)): For our legitimate business interests, which include:

    • Website security and fraud prevention
    • Improving our services and website functionality
    • Internal business administration
    • Analyzing business performance

    We have conducted a balancing test and determined these interests are not overridden by your rights and freedoms. You have the right to object to processing based on legitimate interests.

  4. Consent (GDPR Article 6(1)(a)): For certain activities, we obtain your explicit consent, including:

    • Marketing communications (you may withdraw consent at any time)
    • Non-essential cookies and tracking technologies
    • Any processing not covered by the legal bases above

Special Categories of Personal Data:

We do not intentionally collect "special categories" of personal data (racial/ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, sex life, or sexual orientation). If you voluntarily provide such information (e.g., in project communications), we will process it only with your explicit consent or as permitted under GDPR Article 9.

Your GDPR Rights:

  1. Right of Access (Article 15): Obtain confirmation of processing and access to your personal data
  2. Right to Rectification (Article 16): Correct inaccurate or incomplete personal data
  3. Right to Erasure (Article 17): Request deletion in certain circumstances ("right to be forgotten")
  4. Right to Restriction of Processing (Article 18): Limit how we use your data in certain situations
  5. Right to Data Portability (Article 20): Receive your data in a structured, machine-readable format
  6. Right to Object (Article 21): Object to processing based on legitimate interests or for direct marketing
  7. Right to Withdraw Consent (Article 7(3)): Withdraw consent at any time (without affecting lawfulness of processing before withdrawal)
  8. Right Not to Be Subject to Automated Decision-Making (Article 22): Not be subject to decisions based solely on automated processing with legal/significant effects

International Data Transfers and Safeguards:

When we transfer your personal data from the EU/EEA to the United States or other countries that do not have an adequacy decision from the European Commission, we implement appropriate safeguards, including:

  1. Standard Contractual Clauses (SCCs): We use the European Commission-approved Standard Contractual Clauses with our service providers who process EU personal data outside the EU/EEA.

  2. Supplementary Measures: In addition to SCCs, we implement technical and organizational measures to protect your data, including:

    • Encryption of data in transit and at rest
    • Access controls and authentication
    • Regular security assessments
    • Data minimization practices
    • Contractual restrictions on onward transfers

  3. Transfer Impact Assessments: We have assessed the legal framework in countries to which we transfer data to ensure that the SCCs and supplementary measures provide an adequate level of protection.

Your Right to Information:

You may request a copy of the safeguards we have in place for international transfers by contacting us using the information in Section 14. We will provide you with a copy of the Standard Contractual Clauses we use (with commercially sensitive information redacted).

Supervisory Authority:

You have the right to lodge a complaint with a supervisory authority, particularly in the EU member state of your habitual residence, place of work, or place of the alleged infringement. A list of supervisory authorities is available at: https://edpb.europa.eu/about-edpb/about-edpb/members_en

Retention Periods:

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected (detailed in Section 7) and to comply with legal obligations. You may request specific retention periods for your data by contacting us.

Exercising Your Rights:

To exercise any GDPR rights, please contact us using the information in Section 14. We will respond within one month (extendable by two additional months for complex requests, with explanation).

16.4 Residents of Other U.S. States with Privacy Laws

If you are a resident of Colorado, Connecticut, Utah, Virginia, Montana, Oregon, Texas, or other states with comprehensive privacy laws, you have rights similar to those described for California and New Jersey residents, including:

  • Right to confirm whether we process your personal data
  • Right to access your personal data
  • Right to correct inaccuracies in your personal data
  • Right to delete your personal data
  • Right to obtain a copy of your personal data in a portable format
  • Right to opt out of:
    • Targeted advertising
    • Sale of personal data
    • Profiling in furtherance of decisions that produce legal or similarly significant effects

How to Exercise Your Rights:

Contact us using the information in Section 14, specifying your state of residence and the right you wish to exercise.

Response Timeline:

We will respond to requests from residents of these states within 45 days (or as otherwise required by your state's law).

Appeals:

If we deny your request, you have the right to appeal. We will provide information about the appeals process in our response.

17. Severability

If any provision of this Privacy Policy is found to be invalid, illegal, or unenforceable by a court of competent jurisdiction, the remaining provisions will continue in full force and effect. The invalid, illegal, or unenforceable provision will be modified to the minimum extent necessary to make it valid, legal, and enforceable while preserving the original intent, or if such modification is not possible, will be severed from this Privacy Policy.

18. Entire Agreement

This Privacy Policy, together with our Terms and Conditions https://lavacagc.com/terms, constitutes the entire agreement between you and lavacagc.com regarding the collection, use, and disclosure of your personal information. This Privacy Policy supersedes any prior agreements, representations, or statements regarding our privacy practices, whether written or oral.

If there is any conflict between this Privacy Policy and our Terms and Conditions, the terms of this Privacy Policy will govern with respect to privacy and data protection matters.

19. No Waiver

Our failure to enforce any provision of this Privacy Policy or to exercise any right under this Privacy Policy will not constitute a waiver of that provision or right. Any waiver of any provision of this Privacy Policy must be in writing and signed by an authorized representative of lavacagc.com.

20. Governing Law and Dispute Resolution

Governing Law:

This Privacy Policy and any disputes arising out of or related to this Privacy Policy or our data practices will be governed by and construed in accordance with the laws of the State of New Jersey, without regard to its conflict of laws principles.

However: This choice of law does not override:

  • The mandatory consumer protection laws of your jurisdiction (including CCPA/CPRA for California residents, NJDPA for New Jersey residents, GDPR for EU/EEA residents, and other applicable state privacy laws)
  • Your statutory rights under applicable privacy and consumer protection laws
  • Jurisdictional requirements of privacy regulators

Regulatory Actions:

Nothing in this section limits the jurisdiction of regulatory authorities (California Attorney General, NJ Division of Consumer Affairs, European supervisory authorities, FTC, etc.) to investigate or take enforcement action regarding privacy law violations.

Alternative Dispute Resolution:

Before initiating any legal action, we encourage you to contact us using the information in Section 14 to attempt to resolve the dispute informally. We are committed to working with you to reach a fair resolution of any privacy-related concerns.

EFFECTIVE DATE

This Privacy Policy is effective as of the "Last Updated" date indicated at the top of this document.

Last Updated: November 12, 2025 Version: 2.0 Original Effective Date: November 12, 2025