(909) 548-0925 service@cemech.com

1. Definitions

For the purposes of this Privacy Policy, “Personal Data” refers to any information that identifies, relates to, describes, or could reasonably be linked to an individual. This includes, but is not limited to, names, contact details, identification numbers, location data, online identifiers, and information related to employment or financial transactions. “Processing” refers to any operation performed on personal data, whether automated or manual, including collection, recording, organization, storage, modification, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction.

A “Controller” is the entity that determines the purposes and means of processing personal data. In this case, C.E. Mechanical, Inc., a California corporation (“CEM”), acts as the data Controller when collecting information directly from clients, employees, vendors, or website visitors. A “Processor” refers to any third party or service provider that processes personal data on behalf of the Controller, subject to strict contractual obligations that ensure the security and confidentiality of the data. This includes third parties involved in building automation systems, HVAC controls, and operational data analysis. Understanding these definitions helps clarify the responsibilities we hold and the rights afforded to individuals under privacy laws.


2. Scope of This Policy

This Privacy Policy applies to all personal information collected by CEM in the course of providing HVAC consulting, mechanical contracting, building automation, and related services. It covers data collected from clients, subcontractors, suppliers, vendors, prospective employees, and website visitors throughout Southern California. Including, but not limited to, the following counties: Los Angeles, Orange, San Diego, Riverside, San Bernardino, Ventura, Imperial, and Santa Barbara. This broad coverage ensures that the policy applies wherever CEM operates within the region.

This policy applies to personal information collected through various channels, including in-person interactions, telephone communications, electronic communications, CEM’s website, mobile applications, and any third-party platforms used in the course of business operations. It also extends to data obtained during site visits, building assessments, and the deployment of building automation systems.

The policy ensures compliance with federal, state, and local data protection regulations, including, but not limited to, the California Consumer Privacy Act (“CCPA”), California Privacy Rights Act (“CPRA”), California Online Privacy Protection Act (“CalOPPA”), Title 24, CALGreen, and relevant provisions under the California Air Resources Board (“CARB”) and South Coast Air Quality Management District (“AQMD”). Additionally, it covers compliance obligations under Cal/OSHA where employee and job site safety data are involved.

This policy outlines how CEM handles personal data during service, delivery, recruitment, marketing activities, and contractual obligations. It also governs data obtained through partnerships, vendor relationships, subcontractor engagements, and building automation systems, ensuring a consistent and legally compliant approach to privacy across all touchpoints of our operations.

3. Information We Collect

We collect a range of personal information to support our business activities and ensure compliance with industry standards and legal requirements. This includes basic identifying information such as names, job titles, contact details (e-mail addresses, phone numbers, and physical addresses), as well as billing and payment information necessary for financial transactions. For employment purposes, we collect resumes, employment history, background check information, and other data required for onboarding, payroll, and benefits administration.

In the context of HVAC projects and building automation systems, we gather technical and operational data, including project specifications, building layouts, mechanical system details, compliance reports, site photographs, sensor data, and equipment logs. We also collect digital data from our website and online platforms, such as IP addresses, browser types, device identifiers, cookies, geolocation data, and usage statistics. This helps us analyze website performance, enhance user experiences, and improve service delivery. Sensitive information, such as health and safety records or government-issued identification numbers, may also be collected where legally required or necessary for specific business functions.

4. How We Use Your Information

We process personal data to deliver our HVAC consulting, installation, maintenance, repair, and building automation services effectively. This includes managing client relationships, fulfilling contractual obligations, coordinating with subcontractors, and ensuring compliance with relevant codes, including Title 24, CALGreen, OSHA, and DSA standards. We use personal data to manage project timelines, schedule maintenance activities, monitor system performance, and maintain safety and quality standards on job sites. Additionally, we process data to manage financial transactions, including invoicing, billing, and tax reporting.

Beyond operational needs, we use personal information for administrative purposes such as internal audits, regulatory compliance, legal risk management, and security monitoring in building automation systems. We may also use data for marketing and communication efforts, including sending newsletters, service updates, and promotional materials.

5. Marketing Communications and Compliance with the CAN-SPAM Act

We may send marketing emails, newsletters, or promotional materials to individuals who have provided their consent or where we have a legitimate business relationship. In compliance with the CAN-SPAM Act, we ensure that:

Clear Identification: All marketing communications are clearly identified as advertisements where applicable.
Accurate Information: The sender information is accurate, including a valid physical postal address.
Opt-Out Mechanism: Every marketing email includes a clear and easy-to-use option to unsubscribe from future communications. We promptly honor all opt-out requests, typically within 10 business days.
No Third-Party Transfers: We do not sell or transfer e-mail addresses to third parties for their marketing purposes without explicit consent.

If you no longer wish to receive marketing communications from us, you may opt out at any time by clicking the “unsubscribe” link in the e-mail or by contacting us directly using the information provided in the “Contact Us” section.

Where consent is provided, we use contact information to share industry news, event invitations, and service announcements. Individuals can opt out of marketing communications at any time. Furthermore, data is used to maintain the security of our digital platforms, protect against fraud, and ensure the integrity of our IT systems, IoT devices, and physical infrastructure.

6. Legal Basis for Processing Personal Information

We process personal data based on several legal grounds, depending on the nature of the information and the purpose for which it is collected. The primary legal basis is the performance of a contract, where data processing is necessary to fulfill our contractual obligations to clients, subcontractors, vendors, and employees. This includes processing data for project management, service delivery, invoicing, compliance with contractual terms, and data derived from building automation systems.

Additionally, we process personal information to comply with legal obligations, such as tax reporting, health and safety requirements, and labor laws, including requirements under Cal/OSHA for employee safety data. In certain cases, we rely on legitimate interests to process personal data, provided these interests do not override the fundamental rights and freedoms of the individuals involved. Our legitimate interests include improving our services, enhancing customer relationships, conducting business analytics, and ensuring the security of our operations, particularly with respect to data from automated building systems and IoT devices.

Where required by law, we obtain explicit consent before processing sensitive personal data or engaging in specific marketing activities. Individuals have the right to withdraw consent at any time which will not affect the lawfulness of processing based on consent prior to its withdrawal.

7. Information Sharing and Disclosure

We do NOT sell your personal information. However, we may share your data with trusted third parties to support our business operations, comply with legal obligations, or deliver our HVAC and building automation services effectively. Third parties include, but are not limited to, subcontractors, suppliers, service providers, consultants, and technology vendors involved in project execution, equipment procurement, IoT device management, and system installations. These third parties are contractually obligated to handle your data securely, restrict its use to authorized purposes, and comply with applicable data protection laws, including flow-down clauses to ensure subcontractor compliance.

Additionally, we may disclose personal information to legal authorities, government agencies, or regulatory bodies when required by law, court orders, or compliance with legal processes. In cases of mergers, acquisitions, or business restructuring, your data may be transferred to relevant parties as part of the transaction. We also reserve the right to share information when necessary to protect our legal rights, prevent fraud, ensure safety, or respond to security threats. In all instances, we implement appropriate safeguards to protect your data, including encryption, strict access controls, and legal agreements with third parties that outline their responsibilities regarding data protection.

When sharing personal information, we ensure that only the minimum necessary data is disclosed and that it is used solely for the intended purpose. We require third parties to provide assurances of data security and compliance with privacy laws. Furthermore, we conduct regular audits, risk assessments, and due diligence processes to verify that our data-sharing practices meet industry standards and legal requirements, ensuring the continuous protection of your personal information.

8. Data Retention

We retain personal information only as long as necessary to fulfill the purposes outlined in this Privacy Policy, including legal, regulatory, accounting, or reporting obligations. The retention period varies depending on the type of data, the reason it was collected, and the applicable legal requirements. For example, financial records, contracts, building automation system logs, and compliance-related documents may be retained for statutory periods required by tax authorities or industry-specific regulations like OSHA and Title 24.

When determining retention periods, we consider factors such as data sensitivity, potential risks associated with unauthorized access, and the necessity of the information for ongoing business operations. Once personal data is no longer required, we securely delete, anonymize, or de-identify it using appropriate technical measures. In cases where legal claims or disputes are anticipated, we may retain certain records beyond standard retention timelines to support litigation, audits, or regulatory investigations.

Additionally, we periodically review the data we hold to ensure it is accurate, up-to-date, and necessary for the purposes for which it was collected. Data that is found to be redundant or obsolete is subject to secure disposal procedures, including digital data wiping, encryption protocols, and physical document shredding. Our data retention and disposal policies are designed to minimize the risk of unauthorized access and to comply with data protection laws, ensuring that personal information is handled responsibly throughout its lifecycle.

9. Data Security

We are committed to protecting your personal information through a comprehensive data security framework. This includes implementing administrative, technical, and physical safeguards designed to prevent unauthorized access, disclosure, alteration, or destruction of data. Technical measures include encryption protocols, secure servers, firewalls, intrusion detection systems, multi-factor authentication, and Zero Trust Architecture principles for systems that handle sensitive information, particularly for IoT devices and building automation platforms.

Our physical security protocols ensure that data stored on-site is protected through restricted access to facilities, surveillance systems, and secure storage environments. Administrative controls include employee training on data protection policies, strict access controls based on job roles, and regular reviews of data handling practices. In the event of a data breach, we have an incident response plan that includes immediate containment, risk assessment, notification procedures, and remediation measures to mitigate potential harm. This comprehensive approach ensures that your personal data remains protected throughout its lifecycle, from collection to secure disposal.

10. Your Rights and Choices

Depending on your jurisdiction, you may have specific rights regarding the personal information we collect and process. These rights are designed to provide transparency, control, and autonomy over your data. Common rights include the right to access personal data, request corrections to inaccurate information, and request deletion of data when it is no longer needed for the purposes for which it was collected. Additionally, you may have the right to restrict or object to certain processing activities, such as direct marketing, data profiling, or IoT data analytics, where applicable under the law.

To exercise your rights, please contact us using the information provided in the “Contact Us” section. We may require verification of your identity before processing your request to ensure the security of your personal information. Requests will be handled within legally mandated timeframes, and we will provide explanations if we are unable to fulfill certain requests due to legal obligations or legitimate business interests. We are committed to respecting your privacy rights and ensuring compliance with applicable data protection laws, and we strive to provide clear communication throughout the request process to support your understanding and control over your personal data.

11. California Privacy Rights

California residents are entitled to additional privacy rights under the “CCPA” and “CPRA.” These laws provide enhanced protections for personal information collected from California residents, including the right to know what categories of personal data we collect, the purposes for which it is used, and the third parties with whom it is shared. California residents also have the right to request access to their personal information, request deletion of their data, and request corrections to inaccurate personal information that we maintain about them.

We do not sell personal information as defined under the “CCPA”/”CPRA”. However, if our practices change, we will update this policy and provide a clear opt-out mechanism to allow California residents to exercise their right to opt out of the sale or sharing of personal information. To exercise your California privacy rights, submit a verifiable consumer request through the contact methods provided in this policy. We will respond within the timeframes required by law and ensure that your rights are honored without discrimination, regardless of whether you choose to exercise them. For more information about your rights under the CCPA/CPRA or to submit a request, please refer to the “Contact Us” section of this policy.

12. Cookies and Tracking Technologies

Our website uses cookies and similar tracking technologies to enhance your browsing experience, analyze website performance, and support our marketing efforts. Cookies are small text files stored on your device that help us recognize your preferences, track your activity on our site, and provide a more personalized experience.

Types of Cookies We Use:

  • Essential Cookies: Necessary for the website to function properly. They enable core functionalities such as security, network management, and accessibility.
  • Performance Cookies: Collect information about how visitors interact with our website, such as which pages are visited most often. This data helps us improve website performance.
  • Functional Cookies: Allow the website to remember choices you make (like language or region preferences) to provide enhanced, personalized features.
  • Targeting/Advertising Cookies: Track your browsing habits to deliver relevant advertisements. These may be set through our site by advertising partners to build a profile of your interests.

How We Use Tracking Technologies:

In addition to cookies, we use tracking technologies such as:

  • Web Beacons: Small graphic files that monitor website traffic and user behavior.
  • Pixels: Code snippets embedded in emails or websites to track engagement and conversions.
  • Scripts: Enhance functionality and interactivity on our site while collecting usage data.

Managing Your Cookie Preferences:

You can control or disable cookies through your browser settings at any time. Disabling cookies may limit the functionality of certain website features, but it will not affect your ability to access core services. You may also opt-out of targeted advertising by visiting www.aboutads.info/choices or similar platforms.

Third-Party Cookies:

Some cookies are placed by third parties on our behalf. These include analytics providers and advertising partners who may use cookies to deliver targeted ads based on your browsing history. We encourage you to review their privacy policies for more information.

For more details, please refer to our dedicated Cookie Policy, which provides comprehensive information on how we use cookies, the types of cookies we utilize, and the options available for managing your cookie preferences effectively.

13. Automated Decision-Making and Profiling

We do not engage in automated decision-making processes that produce legal or similarly significant effects on individuals. Automated decision-making refers to decisions made solely by algorithms or automated systems without human intervention. While we may use data analytics tools to improve operational efficiency, these tools do not make final decisions regarding service delivery, employment opportunities, or client engagements without human oversight.

If we implement automated decision-making in the future, particularly within building automation systems, we will update this policy to include information about the logic involved, potential consequences, and your rights related to such processing. Where required by law, we will seek your consent before engaging in automated profiling activities. You will also have the right to request human intervention, express your viewpoint, and contest decisions made solely through automated processing.

14. Third-Party Links

Our website may contain links to third-party websites, services, or applications that are not operated or controlled by CEM. These external links are provided for convenience and informational purposes only. We do not endorse or assume responsibility for the privacy practices, content, or security of third-party websites. We encourage you to review the privacy policies of any external sites you visit to understand how your personal information will be collected, used, and protected.

Interactions with third-party websites are governed by their respective terms and privacy policies. We disclaim any liability for damages or issues that may arise from your use of third-party content, links, or services. If you believe a third-party site linked from our website is unsafe or inappropriate, please notify us immediately so that we can review and take appropriate action, if necessary.

15. Children’s Privacy

Our services are not directed at individuals under the age of 18, and we do not knowingly collect personal information from minors without parental consent. In compliance with the Children’s Online Privacy Protection Act (“COPPA”), we do not knowingly collect, solicit, or maintain information from children under the age of 13. If we become aware that we have inadvertently received personal information from a child under 13, without appropriate parental consent, we will take immediate steps to delete such data from our records.

If you are a parent or guardian and believe that your child has provided personal information to us without your consent, please contact us using the “Contact Us” section. We encourage parents and guardians to monitor their children’s online activities and educate them about safe internet practices to protect their privacy.

16. Changes to This Privacy Policy

We reserve the right to update or modify this Privacy Policy at any time to reflect changes in our business practices, legal obligations, technological advancements, or the integration of new building automation technologies. When we make material changes to this policy, we will notify you by posting the updated policy on our website and updating the “Effective Date” at the top of the document. In cases where significant changes impact your privacy rights, we may provide additional notice through e-mail or other communication channels.

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information. Your continued use of our services after the effective date of any changes constitutes your acceptance of the revised policy. If you disagree with the terms of the updated policy, you should discontinue using our services and contact us with any concerns.

17. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or the personal information we collect, please contact us using the information provided below. We are committed to addressing your privacy-related inquiries promptly and transparently.

C.E. Mechanical, Inc.
13327 Elliot Ave
Chino, CA 91710

Phone: 909-548-0925Email: pr@cemech.com

If you are not satisfied with our response to your privacy concerns, you may have the right to file a complaint with a data protection authority in your jurisdiction. We are dedicated to resolving privacy issues responsibly and maintaining your trust in our data handling practices.

18. International Data Transfers

Although CEM operates primarily within the United States, there may be circumstances where personal data is transferred to, processed, or stored in jurisdictions outside of your state, province, or country of residence. This could occur if we work with third-party service providers, subcontractors, or cloud-based services that are located in other regions. We ensure that such transfers are conducted in compliance with applicable data protection laws, utilizing appropriate safeguards such as data encryption, contractual agreements, data protection clauses, and strict data handling procedures.

For data transferred outside the United States, we implement measures to ensure that your information remains protected to the same standards outlined in this policy. This includes conducting due diligence on third parties to verify their compliance with security and privacy obligations, and where necessary, implementing Standard Contractual Clauses or other legally recognized mechanisms to govern international data transfers. Additionally, we monitor these arrangements regularly to ensure continued compliance with evolving legal and regulatory requirements related to data protection.

19. Data Breach Notification

In the event of a data breach that compromises the confidentiality, integrity, or availability of your personal information, we are committed to taking swift and effective action. This includes promptly investigating the incident, mitigating any potential risks, and implementing corrective measures to prevent recurrence. If a breach poses a significant risk to your rights and freedoms, we will notify you without undue delay, providing details about the nature of the breach, the categories of data affected, the likely consequences, and the measures that we have taken or plan to take to address the breach.

In compliance with applicable laws, we will also notify relevant regulatory authorities as required. Our data breach response plan includes procedures for identifying, reporting, and managing security incidents, ensuring that we maintain transparency and accountability throughout the process. This plan outlines roles and responsibilities, communication strategies, and timelines for response activities. We encourage you to contact us immediately if you suspect any unauthorized use of your personal information or become aware of any security vulnerabilities related to our services. Our commitment is to handle all data breaches with urgency, transparency, and a focus on minimizing any potential harm to affected individuals.

20. Do Not Track (DNT) Signals

Some web browsers offer a “Do Not Track” (“DNT”) feature that signals to websites that you do not wish to have your online activities tracked. Currently, there is no universally accepted standard for how companies should respond to DNT signals. As a result, CEM does not respond to DNT signals or similar mechanisms transmitted by web browsers.

However, we respect your privacy and offer other mechanisms to control data collection and tracking. You can manage your preferences related to cookies and tracking technologies through your browser settings or by using opt-out features provided on our website. For more information about how we use tracking technologies, please refer to our “Cookies and Tracking Technologies” section.

21. Employee and Job Applicant Privacy

In addition to the personal information collected from clients and website visitors, CEM collects and processes personal data from employees, contractors, and job applicants as part of our employment and recruitment processes. This may include contact details, employment history, educational background, references, work eligibility documentation, compensation information, performance evaluations, and other information necessary for hiring, onboarding, payroll, benefits administration, training, and compliance with legal obligations.

Employee and job applicant data is handled with the same level of care as client data, and we implement appropriate security measures to protect this information. We only collect information necessary for legitimate business purposes, and access to employee data is restricted to authorized personnel involved in HR, payroll, legal compliance, and management functions. Employees and applicants have rights concerning their personal data, including the right to access, correct, or request deletion of their information, subject to applicable legal and regulatory requirements. We are committed to maintaining transparency in how we manage employee data and ensuring compliance with data protection laws in all employment-related matters.

22. Vendor and Third-Party Privacy Practices

We engage with various vendors, subcontractors, and third-party service providers to support our operations. While we maintain strict controls over the data we share, these third parties may collect or process personal information as part of the services they provide to us. We require all third-party partners to adhere to strict data protection standards through contractual agreements, including confidentiality clauses, data security obligations, and compliance with relevant privacy laws.

Despite our efforts to ensure third-party compliance, we encourage individuals to review the privacy policies of any external services linked to or integrated with our operations. CEM is not responsible for the privacy practices of third parties, and any data shared directly with them will be subject to their respective policies and procedures.

23. Data Accuracy and Updates

Maintaining accurate and up-to-date personal information is essential for providing high-quality services and ensuring compliance with legal requirements. We encourage you to review and update your information regularly to ensure its accuracy. You can request corrections to your personal data at any time by contacting us through the “Contact Us” section.

We may also periodically verify the accuracy of the information we hold, especially for regulatory compliance, billing accuracy, and project management purposes. If we identify discrepancies or outdated data, we will take reasonable steps to update the information, either through direct communication with you or through reliable third-party sources, as permitted by law.

24. Data Anonymization and Aggregation

In certain circumstances, we may anonymize or aggregate personal information to eliminate the possibility of identifying individuals. This process allows us to use data for analytical, research, and statistical purposes without compromising privacy. Anonymized data is no longer considered personal information and may be used to improve our services, assess business performance, conduct market research, and support operational decision-making.

Aggregated data may also be shared with third parties, such as industry partners or regulatory bodies, to provide insights into trends, service usage, or compliance metrics. When performing data anonymization or aggregation, we apply technical and organizational measures to ensure that the data cannot be re-identified, maintaining the highest standards of privacy protection.