PRIVACY POLICY

1. INTRODUCTION AND SCOPE

1.1 General Provisions

Westchester of Houston Community Association, a Texas non-profit corporation ("Association," "we," "us," or "our"), is committed to safeguarding the privacy and confidentiality of personal information collected from and about our community members, residents, property owners, tenants, vendors, contractors, website visitors, and other individuals who interact with our services (collectively, "you," "your," or "Data Subjects").

1.2 Scope of Application

This Privacy Policy ("Policy") governs the collection, use, processing, storage, disclosure, transfer, and deletion of Personal Information (as defined herein) in connection with:

• Access to and use of our website located at westchesthouston.org and any associated subdomains, mobile applications, or digital platforms (collectively, the "Platform");
• Community association services, including but not limited to property management, maintenance coordination, dues collection, and community governance;
• Communications and interactions with the Association, its agents, employees, contractors, and affiliated entities;
• Participation in community meetings, events, forums, and other Association-sponsored activities;
• Any other services, programs, or activities provided by or through the Association.

1.3 Legal Foundation

This Policy is designed to comply with applicable federal, state, and local privacy and data protection laws, including but not limited to the Texas Identity Theft Enforcement and Protection Act, the Fair Credit Reporting Act (FCRA), the Gramm-Leach-Bliley Act, and other applicable privacy regulations.

2. DEFINITIONS

For purposes of this Policy, the following terms shall have the meanings set forth below:

"Aggregate Information" means information that has been combined with information about other individuals and from which individual identities have been removed such that the information no longer identifies, relates to, describes, or is capable of being associated with a particular individual.

"Biometric Information" means information based on an individual's biological characteristics that can be used to identify that individual, including fingerprints, voiceprints, retina or iris scans, facial geometry, or other biological characteristics.

"Business Purpose" means the use of Personal Information for the Association's operational purposes, or other notified purposes, that are reasonably necessary and proportionate to achieve the operational purpose for which the Personal Information was collected or processed.

"De-identified Information" means information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular individual.

"Personal Information" means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household, including but not limited to identifiers such as name, alias, postal address, unique personal identifier, online identifier, IP address, email address, account name, social security number, driver's license number, passport number, or other similar identifiers.

"Processing" means any operation or set of operations performed on Personal Information, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction.

"Sensitive Personal Information" means Personal Information that reveals: (a) social security, driver's license, state identification card, or passport number; (b) account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account; (c) precise geolocation; (d) racial or ethnic origin, religious or philosophical beliefs, or union membership; (e) contents of mail, email, and text messages unless we are the intended recipient; (f) genetic data; (g) Biometric Information; (h) health information; or (i) information concerning sexual orientation or sex life.

"Third Party" means any individual, corporation, partnership, limited liability company, association, trust, unincorporated organization, or other legal entity that is not the Association, a Data Subject, or a Service Provider.

3. INFORMATION COLLECTION

3.1 Categories of Personal Information Collected

We collect and process the following categories of Personal Information:

3.1.1 Identifiers and Contact Information

• Legal names, aliases, and preferred names
• Residential and mailing addresses
• Telephone numbers (mobile, home, and business)
• Email addresses (personal and business)
• Unique personal identifiers and online identifiers
• Account usernames and encrypted passwords
• Emergency contact information

3.1.2 Protected Classification Characteristics

• Age and date of birth
• Marital status and family composition
• Protected class information as may be relevant to community operations and as permitted by law

3.1.3 Commercial and Financial Information

• Property ownership records and title information
• Community dues payment history and outstanding balances
• Assessment records and payment arrangements
• Banking and payment method information (processed through encrypted third-party payment processors)
• Insurance information related to community requirements
• Credit and collection information as permitted by law

3.1.4 Biometric Information

We do not knowingly collect Biometric Information except where specifically authorized and disclosed.

3.1.5 Internet and Electronic Network Activity

• Platform usage patterns, including pages visited, time spent, and click patterns
• Search queries and navigation paths
• Device identifiers, IP addresses, and geolocation data
• Browser type, operating system, and device characteristics
• Cookies, web beacons, and similar tracking technologies
• Log files and error reports

3.1.6 Geolocation Data

• Precise location information only when specifically authorized
• General location information derived from IP addresses

3.1.7 Audio, Electronic, Visual, or Similar Information

• Security camera footage from common areas (where applicable and disclosed)
• Recordings of community meetings (where permitted and disclosed)
• Photographs from community events (with appropriate consent)
• Voice recordings from customer service interactions (where disclosed)

3.1.8 Professional and Employment Information

• Occupation and employer information (when voluntarily provided)
• Professional references for vendor applications
• Business contact information for contractors and service providers

3.1.9 Education Information

Information relating to educational background only when specifically relevant and voluntarily provided.

3.1.10 Inferences and Profiles

• Profiles reflecting preferences, characteristics, behavior, and attitudes
• Inferences drawn from Personal Information to create profiles about individuals

3.2 Sources of Information Collection

3.2.1 Direct Collection

Information provided directly by Data Subjects through:

• Account registration and profile creation
• Online forms, surveys, and applications
• Email communications and correspondence
• Telephone conversations and voicemails
• In-person interactions and meetings
• Community event participation and registration
• Maintenance requests and service inquiries
• Payment processing and billing activities

3.2.2 Automatic Collection

Information collected automatically through:

• Platform analytics and tracking technologies
• Cookies, web beacons, and similar technologies
• Server logs and access records
• Device and browser information
• Network activity monitoring

3.2.3 Third-Party Sources

Information obtained from:

• Public records and databases
• Property title and ownership records
• Credit reporting agencies (where permitted)
• Service providers and contractors
• Vendors and business partners
• Government agencies and regulatory bodies
• Other residents and community members (with appropriate consent)

3.3 Collection Methods and Technologies

3.3.1 Cookies and Tracking Technologies

We employ various tracking technologies, including:

• Essential Cookies: Strictly necessary for Platform functionality
• Performance Cookies: Analytics and performance monitoring
• Functional Cookies: Enhanced features and user preferences
• Targeting Cookies: Personalization and relevant content delivery

3.3.2 Web Beacons and Pixel Tags

Small electronic files that track user interactions and measure content effectiveness.

3.3.3 Log Files

Automatic collection of IP addresses, browser information, access times, and requested pages.

3.3.4 Analytics Services

Third-party analytics providers that help us understand Platform usage and performance.

4. USE OF PERSONAL INFORMATION

4.1 Business Purposes

We process Personal Information for the following Business Purposes:

4.1.1 Community Operations and Management

• Maintaining accurate membership and property ownership records
• Processing dues, assessments, and fee collections
• Coordinating maintenance, repairs, and capital improvements
• Enforcing community covenants, conditions, and restrictions (CC&Rs)
• Managing architectural control and approval processes
• Facilitating community meetings and governance activities

4.1.2 Communication and Engagement

• Providing notices required by law, governing documents, or Association policies
• Disseminating community announcements, newsletters, and updates
• Facilitating resident communication through directories and forums
• Coordinating emergency communications and notifications
• Responding to inquiries, complaints, and service requests

4.1.3 Platform Operations and Security

• Providing, maintaining, and improving Platform functionality
• Authenticating user accounts and preventing unauthorized access
• Detecting, preventing, and responding to security incidents
• Troubleshooting technical issues and optimizing performance
• Conducting system maintenance and updates

4.1.4 Legal Compliance and Risk Management

• Complying with applicable laws, regulations, and legal processes
• Responding to lawful requests from government authorities
• Protecting against fraud, theft, and other illegal activities
• Enforcing our terms of service and community rules
• Defending legal claims and protecting legal rights

4.1.5 Analytics and Improvement

• Analyzing Platform usage patterns and user behavior
• Conducting research and development for service improvements
• Measuring effectiveness of communications and services
• Generating statistical and demographic analyses

4.2 Commercial Purposes

Subject to applicable law and with appropriate consent where required, we may process Personal Information for limited commercial purposes, including:

• Marketing Association services and amenities
• Promoting community events and activities
• Facilitating beneficial partnerships with local businesses
• Generating revenue through appropriate sponsorships and partnerships

4.3 Processing Basis

Our processing of Personal Information is based on:

• Contractual Necessity: Performance of community association agreements and governing documents
• Legal Obligations: Compliance with applicable laws and regulations
• Legitimate Interests: Community operations, safety, and security
• Consent: Where specifically obtained for particular processing activities

5. INFORMATION SHARING AND DISCLOSURE

5.1 Permitted Disclosures

We may share Personal Information in the following circumstances:

5.1.1 Service Providers and Business Partners

With Third-Party vendors, contractors, and service providers who:

• Provide services on our behalf under written agreements
• Are subject to confidentiality and data protection obligations
• Process information only as directed by the Association
• Implement appropriate security measures

Examples include:

• Property management companies
• Maintenance and landscaping contractors
• Payment processors and financial institutions
• Legal, accounting, and professional service providers
• Technology vendors and hosting providers
• Insurance carriers and risk management services

5.1.2 Community Members and Residents

Limited directory information may be shared among residents for legitimate community purposes, including:

• Names and addresses for community directory (with opt-out option)
• Contact information for committee participation
• Property ownership information as required by governing documents
• Assessment and dues status as permitted by law

5.1.3 Legal and Regulatory Requirements

We may disclose Personal Information when required or permitted by law, including:

• Response to valid legal process (subpoenas, court orders, warrants)
• Compliance with regulatory investigations and audits
• Cooperation with law enforcement and government agencies
• Protection of legal rights, property, and safety
• Prevention of fraud and other illegal activities

5.1.4 Business Transfers

In connection with:

• Merger, acquisition, or sale of Association assets
• Transfer of management responsibilities
• Reorganization or dissolution proceedings
• Assignment of contracts and agreements

5.1.5 Emergency Situations

For protection of health, safety, and welfare of individuals or the community, including:

• Emergency medical situations
• Natural disasters and safety threats
• Security incidents and criminal activities
• Child or elder abuse reporting as required by law

5.2 Prohibited Disclosures

We do not and will not:

• Sell Personal Information to Third Parties for monetary consideration
• Share Personal Information for Third-Party marketing without explicit consent
• Disclose Sensitive Personal Information except as specifically authorized
• Transfer Personal Information without appropriate safeguards

5.3 International Transfers

If Personal Information is transferred outside the United States, we will ensure appropriate safeguards are in place, including:

• Adequate data protection laws in the destination country
• Standard contractual clauses or binding corporate rules
• Explicit consent from the Data Subject where required
• Other legally recognized transfer mechanisms

6. DATA SECURITY AND PROTECTION

6.1 Security Measures

We implement comprehensive technical, administrative, and physical safeguards designed to protect Personal Information against unauthorized access, use, disclosure, alteration, and destruction, including:

6.1.1 Technical Safeguards

• Encryption of data in transit and at rest using industry-standard protocols
• Secure Socket Layer (SSL) and Transport Layer Security (TLS) encryption
• Multi-factor authentication for administrative access
• Regular security assessments and vulnerability testing
• Intrusion detection and prevention systems
• Secure backup and disaster recovery procedures

6.1.2 Administrative Safeguards

• Comprehensive privacy and security policies and procedures
• Regular employee training on data protection and privacy
• Background checks for personnel with access to Personal Information
• Incident response and breach notification procedures
• Regular audits and compliance monitoring
• Data minimization and retention policies

6.1.3 Physical Safeguards

• Restricted access to facilities containing Personal Information
• Secure storage of physical records and documents
• Environmental controls and monitoring systems
• Secure disposal of documents and electronic media
• Video surveillance and access logging systems

6.2 Data Breach Response

In the event of a security incident or data breach, we will:

• Immediately investigate and contain the incident
• Assess the scope and impact of the breach
• Notify affected individuals and regulatory authorities as required by law
• Implement remedial measures to prevent future incidents
• Provide credit monitoring or other protective services as appropriate
• Document the incident and lessons learned for future prevention

6.3 Limitations and Disclaimers

While we implement robust security measures, no method of transmission or storage is completely secure. We cannot guarantee the absolute security of Personal Information and expressly disclaim any warranty or representation regarding data security. Data Subjects assume the risk of unauthorized access, use, or disclosure of their Personal Information.

7. DATA SUBJECT RIGHTS AND CHOICES

7.1 Access Rights

You have the right to:

• Request confirmation of whether we are processing your Personal Information
• Obtain copies of your Personal Information in our possession
• Receive information about our processing activities and data sharing practices
• Request specific pieces of Personal Information we have collected about you

7.2 Correction and Update Rights

You may:

• Request correction of inaccurate or incomplete Personal Information
• Update your contact information and preferences through our resident portal
• Provide additional information to complete your records
• Request verification of corrected information

7.3 Deletion Rights

Subject to legal and contractual obligations, you may request deletion of your Personal Information. We will delete Personal Information unless retention is necessary for:

• Compliance with legal obligations
• Performance of contractual duties
• Exercise or defense of legal claims
• Community governance and operational requirements

7.4 Portability Rights

You may request that we provide your Personal Information in a structured, commonly used, and machine-readable format to facilitate transfer to another service provider.

7.5 Opt-Out Rights

You may opt out of:

• Non-essential marketing communications
• Directory listings and information sharing
• Certain cookies and tracking technologies
• Sale of Personal Information (where applicable)
• Targeted advertising and profiling

7.6 Communication Preferences

You can manage your communication preferences by:

• Updating your account settings in the resident portal
• Using unsubscribe links in electronic communications
• Contacting us directly with specific requests
• Attending community meetings to express preferences

7.7 Limitations on Rights

Rights may be limited or denied where:

• Disclosure would adversely affect the rights of others
• Information is protected by attorney-client or other legal privilege
• Deletion would violate legal or contractual obligations
• Requests are manifestly unfounded or excessive
• Processing is necessary for community operations or safety

7.8 Exercise of Rights

To exercise any of these rights:

1. Submit a written request through our designated channels
2. Provide sufficient information to verify your identity
3. Specify the particular right(s) you wish to exercise
4. Allow reasonable time for processing (typically 30-45 days)
5. Follow up if you do not receive acknowledgment within 10 business days

8. COOKIES AND TRACKING TECHNOLOGIES

8.1 Types of Cookies

8.1.1 Essential Cookies

Strictly necessary for Platform operation and cannot be disabled:

• Authentication and session management
• Security and fraud prevention
• Basic Platform functionality
• Load balancing and performance

8.1.2 Analytics Cookies

Help us understand Platform usage and performance:

• Page view and user interaction tracking
• Performance monitoring and optimization
• Error reporting and debugging
• User behavior analysis

8.1.3 Functional Cookies

Enhance user experience and remember preferences:

• Language and region settings
• User interface customizations
• Accessibility features
• Previous form entries

8.1.4 Marketing Cookies

Support targeted content and advertising:

• Interest-based content delivery
• Social media integration
• Third-party advertising networks
• Conversion tracking and attribution

8.2 Cookie Management

You can control cookies through:

• Browser settings and privacy controls
• Our cookie preference center (where available)
• Third-party opt-out mechanisms
• Industry opt-out tools and registries

8.3 Third-Party Tracking

We may use Third-Party analytics and advertising services that collect information through cookies and similar technologies. These Third Parties have their own privacy policies and data practices.

9. CHILDREN'S PRIVACY

9.1 Age Restrictions

Our Platform and services are not intended for children under 13 years of age. We do not knowingly collect Personal Information from children under 13 without verifiable parental consent.

9.2 Parental Consent

Where we collect information about children under 13 (such as for family directory purposes), we:

• Obtain verifiable parental consent before collection
• Limit collection to information necessary for community purposes
• Provide parents with access and control over their child's information
• Allow parents to refuse further collection and request deletion

9.3 Discovery of Children's Information

If we learn that we have collected Personal Information from a child under 13 without appropriate consent, we will:

• Delete the information as soon as reasonably practicable
• Notify the parents (if identifiable)
• Implement additional safeguards to prevent future collection
• Review and update our collection practices as necessary

10. THIRD-PARTY SERVICES AND LINKS

10.1 Third-Party Websites and Services

Our Platform may contain links to Third-Party websites, services, or applications. This Policy does not apply to Third-Party sites, and we are not responsible for their privacy practices or content.

10.2 Social Media Integration

If you interact with our social media pages or use social media features on our Platform:

• Your interactions are subject to the social media platform's privacy policy
• We may receive information from social media platforms about your interactions
• You may control sharing through your social media privacy settings

10.3 Third-Party Analytics and Advertising

We may use Third-Party services for:

• Website analytics and performance monitoring
• Advertising and marketing services
• Customer relationship management
• Payment processing and financial services

These Third Parties may collect information about your online activities across different websites and services.

11. DATA RETENTION

11.1 Retention Principles

We retain Personal Information for the shortest period necessary to fulfill the purposes outlined in this Policy, comply with legal obligations, resolve disputes, and enforce our agreements.

11.2 Specific Retention Periods

11.2.1 Community Records

• Property ownership records: Permanent retention
• Financial records: Minimum 7 years after final payment
• Meeting minutes and governance documents: Permanent retention
• Architectural control records: Life of the improvement plus 7 years

11.2.2 Communications and Correspondence

• Email communications: 3 years from date of communication
• Written correspondence: 7 years from date of correspondence
• Customer service records: 3 years from last interaction

11.2.3 Website and Platform Data

• User account information: Duration of account plus 1 year
• Analytics and usage data: 25 months from collection
• Security logs: 1 year from creation
• Cookie and tracking data: As specified in cookie notices

11.2.4 Legal and Compliance Records

• Records subject to legal holds: Duration of legal matter plus 7 years
• Compliance documentation: As required by applicable regulations
• Incident and breach records: 7 years from resolution

11.3 Secure Deletion

Upon expiration of retention periods, we securely delete or destroy Personal Information using methods that render the information unreadable and unrecoverable.

12. PRIVACY POLICY UPDATES

12.1 Modification Authority

We reserve the right to modify this Policy at any time to reflect changes in our practices, applicable laws, or business requirements.

12.2 Notice of Changes

Material changes to this Policy will be communicated through:

• Prominent notice on our website
• Email notification to registered users
• Notice at community meetings
• Other appropriate communication channels

12.3 Effective Date of Changes

Policy changes will take effect on the date specified in the updated Policy. Your continued use of our services after the effective date constitutes acceptance of the revised Policy.

12.4 Previous Versions

We maintain historical versions of this Policy for reference and compliance purposes.

13. CONTACT INFORMATION AND COMPLAINTS

13.1 Privacy Contact Information

For questions, concerns, or requests regarding this Policy or our privacy practices:

13.2 Data Subject Request Process

To submit a privacy-related request:

1. Use our designated request form (when available) or submit a written request
2. Include your full name, address, and contact information
3. Provide specific details about your request
4. Include proof of identity as required
5. Allow 30-45 days for processing

13.3 Complaint Resolution

If you believe we have violated your privacy rights:

1. Contact our Privacy Officer to file a complaint
2. Provide detailed information about the alleged violation
3. We will investigate and respond within 30 days
4. You may also file complaints with relevant regulatory authorities

14. JURISDICTION-SPECIFIC RIGHTS

14.1 Texas Privacy Rights

Texas residents may have additional rights under state privacy laws, including:

• Right to know about Personal Information collected, used, and shared
• Right to request deletion of Personal Information
• Right to opt out of sale of Personal Information
• Right to non-discrimination for exercising privacy rights

14.2 Other State Privacy Laws

Residents of other states may have additional rights under applicable state privacy laws. Contact us to learn about rights that may apply to you.

14.3 Federal Privacy Rights

All individuals have rights under applicable federal privacy laws, including rights related to:

• Credit reporting and financial information
• Health information privacy
• Electronic communications privacy
• Children's online privacy

15. LEGAL DISCLAIMERS AND LIMITATIONS

15.1 No Warranty

This Policy and our privacy practices are provided "as is" without warranty of any kind. We disclaim all warranties, express or implied, including warranties of merchantability, fitness for a particular purpose, and non-infringement.

15.2 Limitation of Liability

To the maximum extent permitted by law, we shall not be liable for any direct, indirect, incidental, special, consequential, or punitive damages arising from privacy-related claims, including damages for data breaches or unauthorized access.

15.3 Indemnification

By using our services, you agree to indemnify and hold harmless the Association, its officers, directors, employees, and agents from any claims, damages, or losses arising from your violation of this Policy or applicable privacy laws.

15.4 Severability

If any provision of this Policy is deemed invalid or unenforceable, the remaining provisions will continue in full force and effect.

16. CONSENT AND ACCEPTANCE

16.1 Consent to Processing

By using our Platform and services, you consent to the collection, use, and disclosure of your Personal Information as described in this Policy.

16.2 Withdrawal of Consent

You may withdraw your consent at any time, subject to legal and contractual limitations. Withdrawal of consent may affect our ability to provide services to you.

16.3 Acknowledgment

You acknowledge that you have read, understood, and agree to be bound by this Policy and any future modifications.