Quick Links
1 - Our Data Protection Commitment
At Once Interactive, data protection is not a reactive measure — it is embedded into how we design our systems, select our tools, train our team, and serve our clients. Whether we are running an SEO campaign, building a WordPress site, or managing paid media, we handle data with the same degree of care we bring to every aspect of our work.
This page explains the specific technical and organizational measures we implement, the principles that guide our data handling, and how we work with clients to ensure their customers' data is treated with the utmost respect and security.
Our Promise
We do not sell personal data. We collect only what we need. We protect what we hold. And we are transparent about how we do all of it.
2 - Data Protection Principles
Our data protection practices are anchored to the following core principles, consistent with GDPR Article 5 and international best practices:
1
Lawfulness, Fairness & Transparency
We collect and process personal data only when we have a lawful basis and always in a manner that is fair and transparent to the individuals concerned. We do not process data in ways that people would not reasonably expect.
2
Purpose Limitation
Data is collected for specific, explicit, and legitimate purposes. We do not repurpose data for uses incompatible with the original purpose without obtaining fresh consent or identifying another lawful basis.
3
Data Minimization
We collect only the minimum amount of personal data required to accomplish the defined purpose. We regularly audit our data collection practices to ensure we are not collecting more than necessary.
4
Accuracy
We take reasonable steps to keep personal data accurate and up to date. We provide mechanisms for individuals to correct their information and respond promptly to correction requests.
5
Storage Limitation
We retain personal data for no longer than necessary for the stated purpose, or as required by law. We maintain a documented data retention schedule and securely delete or anonymize data when it is no longer needed.
6
Integrity & Confidentiality
We use appropriate technical and organizational measures to protect personal data against unauthorized access, accidental loss, destruction, or damage. Security is built into our processes, not bolted on after the fact.
7
Accountability
We take responsibility for compliance with these principles and can demonstrate compliance through documentation, policies, staff training, and contractual arrangements with third parties.
3 - Technical Security Measures
Once Interactive implements the following technical measures to protect personal data in our systems and those of our clients:
Encryption in Transit
All data transmitted between users and our website (and client websites we manage) is encrypted using TLS 1.2 or higher (HTTPS/SSL). We enforce HTTPS sitewide.
Encryption at Rest
Sensitive data stored on our systems is encrypted at rest using industry-standard algorithms. This includes client account data and any files containing personal information.
Access Controls
Access to personal data is restricted on a strict need-to-know basis. We use role-based access control (RBAC) and require strong, unique passwords and multi-factor authentication (MFA) for internal systems.
Security Monitoring
We monitor our systems for suspicious activity and unauthorized access attempts. Server logs are reviewed and retained to support incident response.
Regular Backups
Client website data and critical business data are backed up regularly. Backups are tested for restorability and stored securely with restricted access.
WordPress Security
For WordPress projects, we implement hardening measures including: keeping core, themes, and plugins updated; removing unused plugins; using reputable security plugins; and configuring appropriate file permissions.
Secure Development Practices
Our development team follows secure coding standards, including input validation, output encoding, and protection against OWASP Top 10 vulnerabilities.
Email Security
We use email platforms with SPF, DKIM, and DMARC authentication to prevent spoofing. Confidential communications may be conducted through encrypted channels upon request.
4 - Organizational Security Measures
Technical measures alone are not enough. We pair them with strong organizational controls:
Staff Training: All team members handling personal data receive training on data protection principles, security practices, and how to identify and respond to threats;
Confidentiality Agreements: All employees and contractors with access to personal data or client information are bound by written confidentiality obligations;
Vendor Due Diligence: Before engaging any third-party service provider that will process personal data, we assess their security practices and ensure appropriate contractual protections are in place;
Internal Policies: We maintain internal data protection, acceptable use, and incident response policies. These are reviewed and updated regularly;
Incident Response Plan: We have a documented data breach response plan that defines roles, escalation paths, notification procedures, and post-incident review requirements;
Privacy by Design: We embed data protection into the design of new services, campaigns, and systems from the outset, rather than retrofitting protections afterward.
5 - Client Data Handling
When we process personal data on behalf of our clients (acting as a Data Processor), we take the following steps to protect that data:
We process client data only in accordance with documented instructions from the client;
We do not access, use, or disclose client data for any purpose beyond delivering the agreed services;
We ensure that personnel accessing client data are bound by confidentiality obligations;
We provide reasonable assistance to clients in responding to data subject requests, breach notifications, and regulatory inquiries;
Upon termination of services, we return or securely delete client data as instructed (typically within 30 days);
We notify clients of any data breach affecting their data without undue delay.
Client Responsibilities
Clients who share personal data with Once Interactive (such as customer email lists, website visitor data, or CRM records) are responsible for ensuring they have the appropriate legal basis to share that data with us and that their privacy policies accurately describe how they use third-party service providers. Once Interactive is available to assist clients in reviewing these obligations.
6 - Third-Party Service Providers & Sub-Processors
Once Interactive uses a carefully selected set of third-party tools and service providers in the delivery of our services. These sub-processors may process personal data on our behalf. We ensure that each sub-processor has entered into appropriate data processing agreements and maintains security standards consistent with applicable law.
Key categories of sub-processors and the tools we typically use include:
This list is not exhaustive and may change over time. For an up-to-date list of sub-processors relevant to a specific client engagement, please contact hello@onceinteractive.com.
7 - Data Breach Response
Despite our best efforts, no system is immune to security incidents. In the event of a suspected or confirmed data breach affecting personal data, Once Interactive follows a structured incident response process:
Step 1 — Identify & Contain: Detect the breach as early as possible and take immediate steps to contain it and prevent further unauthorized access or data loss;
Step 2 — Assess: Determine the nature, scope, and severity of the breach; identify what personal data was affected and the likely impact on data subjects;
Step 3 — Notify (Regulators): Where required by law (e.g., GDPR or applicable U.S. state law), notify the relevant supervisory authority within the required timeframe (72 hours under GDPR where feasible);
Step 4 — Notify (Individuals): Where the breach poses a high risk to affected individuals, notify them directly in clear and plain language, including what happened, what data was involved, and what steps they can take;
Step 5 — Notify (Clients): Where we act as a Data Processor, notify the affected client without undue delay so they can fulfill their own notification obligations;
Step 6 — Remediate: Take steps to address the root cause of the breach and strengthen controls to prevent recurrence;
Step 7 — Document: Record all breaches (including those that do not require external notification) along with the facts, effects, and remedial actions taken.
To report a suspected security incident or data breach, please contact us immediately at hello@onceinteractive.com.
8 - AI Tools & Data Protection
As an AI-forward agency offering services including AI Discovery Optimization and AI-powered marketing solutions, Once Interactive takes specific care around the use of artificial intelligence tools in connection with personal data.
We do not input identifiable client customer data into third-party AI language models (such as ChatGPT or similar tools) without appropriate contractual protections and client authorization;
Where AI tools are used internally (e.g., for content ideation, data analysis, or campaign optimization), we ensure outputs are reviewed by qualified humans before being acted upon;
We evaluate AI tools used in client campaigns for compliance with applicable privacy laws, including their data processing and retention practices;
We are transparent with clients about which AI-powered tools are used in their projects and their associated data handling practices.
As AI regulations evolve, we are committed to keeping our practices current and ensuring that AI is used responsibly, ethically, and in compliance with applicable law.
9 - Contact & Reporting
If you have questions about our data protection practices, want to report a security concern, or wish to exercise any data protection rights, please reach out:
Once Interactive, Inc. — Privacy & Data Protection
9205 W Russell Rd, Suite 240 · Las Vegas, NV 89148
Email: hello@onceinteractive.com
Las Vegas: +1.702.563.4480
Los Angeles: +1.310.955.7242
Facebook: facebook.com/onceinteractivelv
Instagram: instagram.com/onceinteractive
Contact page: onceinteractive.com/contact-us
For security-related disclosures and responsible vulnerability reporting, please email us with the subject line "Security Disclosure" so we can prioritize your message appropriately.