Privacy policy
1. Introduction
Information Direct, Inc. ("Information Direct," "we," "us," or "our") is committed to protecting the privacy and security of the personal information we collect, process, and maintain. This Privacy Policy describes how we collect, use, disclose, and safeguard information in connection with the background screening services we provide.
This policy applies to our website (www.informationdirect.us), client portal (clients.informationdirect.us), and all related services. By using our services, you acknowledge that you have read and understood this Privacy Policy.
2. Information we collect
We collect information necessary to deliver pre-employment background screening services, including: applicant personal identifiers (name, date of birth, Social Security number, address history), employment and education history provided for verification, contact information for clients and authorized users, and usage data from interactions with our platform.
We collect this information directly from our clients who have obtained written authorization from applicants, from public records accessed through courthouse research, and from third-party verification sources as permitted by the FCRA.
3. How we use information
We use personal information exclusively for permissible purposes under the FCRA, including: compiling consumer reports at the request of authorized clients, performing courthouse research and record verification, processing employment, education, and professional license verifications, facilitating drug testing through our certified lab partners, and complying with legal and regulatory obligations.
We do not sell, rent, or trade personal information for marketing purposes. We do not use applicant data for any purpose other than fulfilling authorized background screening requests.
For website visitors, marketing contacts, and direct business communications, Information Direct acts as an independent controller. For client-instructed screening workflows, clients generally act as controllers or report users and Information Direct processes candidate data on documented instructions while also meeting independent consumer reporting agency duties under the FCRA and related laws.
4. Data sharing and disclosure
We share personal information only as follows: with the authorized client who requested the background check, with courthouse researchers and verification agents acting on our behalf, with certified laboratory partners for drug testing services, with regulatory or law enforcement authorities when required by law, and as necessary to comply with legal process, court orders, or government requests.
All third parties who access personal information on our behalf are bound by confidentiality agreements and are required to maintain security standards consistent with our own.
5. Data security
We implement comprehensive administrative, technical, and physical safeguards to protect personal information, including AES-256 encryption for sensitive candidate fields, TLS 1.2+ in transit, role-based access controls, administrative access logging, least-privilege permissions, security monitoring, regular security reviews, and documented incident response procedures. We do not publish certification claims unless a current attestation or certificate is available for client review.
6. Data retention and disposal
Consumer report records, authorizations, audit logs, and adverse action records are retained for at least five years unless a longer period is required by contract, litigation hold, or applicable law. Website inquiry records are generally retained for up to two years, client account records for the life of the relationship plus seven years, and security logs for up to two years unless needed for investigation. Upon expiration of the retention period, records are securely destroyed using methods that prevent reconstruction or recovery. Clients may request deletion of eligible account data by contacting privacy@informationdirect.us.
For non-FCRA California personal information, identifiers and client account contact details are generally retained for the life of the relationship plus seven years, website inquiry identifiers and commercial information are generally retained for up to two years, security and network activity records are generally retained for up to two years, and billing or transaction records are retained for the period required by tax, accounting, contract, and legal obligations.
Dispute investigation records, consumer statements, source notifications, and reinvestigation outcome notices are retained with the related consumer report or for the period required by law, contract, audit, litigation hold, or regulatory obligation, whichever is longer.
7. Consumer rights under the FCRA
Consumers whose information appears in a background check report have the right to: request a copy of any consumer report furnished about them, dispute inaccurate or incomplete information in their report, receive notice when information in a report has been used against them, have inaccurate information corrected or deleted after investigation, and place a security freeze or fraud alert on their consumer file.
To request your consumer file, email disclosures@informationdirect.us or write to Information Direct, Inc., Attn: Consumer File Request, 1519 E Chapman Ave #342, Fullerton, CA 92831. To submit a dispute, call (800) 707-2450, email disputes@informationdirect.us, or write to the same address with Attn: Disputes. When a disputed item came from a furnisher or source that must participate in the reinvestigation, we notify that furnisher or source within five business days after receiving the dispute and provide all relevant dispute information we received. We may request identity verification before releasing a file disclosure or acting on a rights request.
8. State-specific rights
Residents of certain states have additional rights. California residents have rights under the California Investigative Consumer Reporting Agencies Act (ICRAA), California Consumer Credit Reporting Agencies Act (CCRAA), and the California Consumer Privacy Act (CCPA/CPRA). New York residents are protected by Article 23-A. Massachusetts residents have CORI-specific protections. We comply with all applicable state privacy and consumer reporting laws.
9. California privacy notice for non-FCRA data
For personal information that is not exempt under the FCRA, California residents may request access, correction, deletion, and portability, may opt out of any sale or sharing of personal information, and may request that eligible sensitive personal information be limited to uses permitted by CPRA regulations. In the last 12 months, we have collected identifiers, commercial contact details, internet or network activity, geolocation inferred from IP address, and professional or employment-related information submitted through client account and website forms. We use this information for service delivery, security, analytics, compliance, and communications.
Information Direct does not sell personal information or share it for cross-context behavioral advertising. We do not use sensitive personal information for purposes outside those permitted by CPRA regulations. To submit a California privacy request, email privacy@informationdirect.us with the subject "California Privacy Request," call (800) 707-2450, or use /privacy-choices for Do Not Sell or Share, Limit Sensitive Personal Information, access, correction, deletion, and authorized agent requests. If sale or sharing is ever enabled, we will honor applicable opt-out preference signals such as Global Privacy Control where required. We will verify requests before disclosing or deleting data.
California residents may designate an authorized agent to submit a request on their behalf. We may require proof of the agent's authority and may ask the resident to verify their identity directly with us. We will not discriminate against you for exercising privacy rights, and we do not offer financial incentives or price differences in exchange for personal information.
Sensitive personal information may include government identifiers, account credentials, precise data submitted for screening, and other information classified as sensitive under California law. Where such data is not exempt under the FCRA or another law, we use it only for service delivery, security, compliance, fraud prevention, and other purposes permitted by CPRA regulations.
If annual California privacy metrics become legally required for Information Direct, we will publish the required request metrics in this notice or at a dedicated privacy reporting page.
10. Cookies and website analytics
Our website uses essential cookies and browser storage for security, CSRF protection, cookie consent state, and basic site functionality. The _csrf_token cookie helps protect forms and account actions against cross-site request forgery. The id_cookie_consent cookie and matching browser storage value record whether you selected essential-only cookies or optional analytics cookies. We may use privacy-respecting analytics to understand aggregate page performance and visitor behavior when enabled. We do not use cookies for advertising or cross-site behavioral tracking. You can manage cookie preferences through your browser settings or the Cookie preferences link in the footer.
11. Children's privacy
Our services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected information from a child under 18, we will promptly delete it.
12. International visitors and GDPR
If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, this section applies to our processing of your personal data in addition to the provisions above. Information Direct processes personal data in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") where applicable.
Information Direct is established in the United States. We do not currently maintain an EU, UK, or Swiss establishment and have not appointed a statutory Data Protection Officer unless a separate written agreement states otherwise. International screening involving EEA, UK, or Swiss data subjects is reviewed before activation for role allocation, transfer mechanism, representative requirements, and criminal-offence-data safeguards. If Article 27 of the EU GDPR, UK GDPR representative rules, or a formal DPO obligation applies to a covered processing activity, we will designate the required role in writing before continuing that covered processing and will publish or provide the representative contact information required by law.
Information Direct does not make hiring, tenancy, credit, or other eligibility decisions for clients and does not use solely automated decision-making to decide whether an individual is eligible. Matching, identity, SSN, MVR, or record-verification tools may assist research and quality control, but reports are delivered to authorized clients for their independent review under applicable law.
Information Direct maintains internal privacy and security risk assessments for high-risk screening workflows, including data protection impact assessment materials where required. We conduct or refresh a DPIA before covered large-scale or otherwise high-risk EEA/UK criminal offence data processing when required. These materials may be made available to qualified clients, regulators, or auditors under appropriate confidentiality protections.
13. Legal basis for processing
We process personal data under the following legal bases as defined in Article 6 of the GDPR: (a) Contractual necessity - processing necessary to perform our background screening services as requested by our clients; (b) Legal obligation - processing required to comply with the FCRA, state consumer reporting laws, and other applicable legal requirements; (c) Legitimate interests - processing necessary for fraud prevention, platform security, and service improvement, where such interests are not overridden by data subject rights; (d) Consent - where specifically obtained for optional processing activities such as marketing communications. Personal data relating to criminal convictions, offences, or related security measures is processed only where authorized by applicable law and supported by appropriate safeguards, and clients remain responsible for confirming their own lawful basis and hiring-use requirements.
14. EU data subject rights
If you are a data subject located in the EEA, UK, or Switzerland, you have the following rights under the GDPR: Right of access - the right to request confirmation of whether we process your personal data and to obtain a copy of that data. Right to rectification - the right to request correction of inaccurate or incomplete personal data. Right to erasure - the right to request deletion of your personal data, subject to applicable legal retention requirements (including FCRA retention obligations). Right to data portability - the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller. Right to object - the right to object to processing of your personal data based on legitimate interests. Right to restrict processing - the right to request that we limit how we use your personal data while a complaint is being resolved.
You may object to direct marketing at any time, and we will honor that objection without requiring a reason. You also have the right to lodge a complaint with your local supervisory authority if you believe our processing violates applicable data protection law.
To exercise any of these rights, please contact our Data Protection Contact at privacy@informationdirect.us or write to Information Direct, Inc., Attn: Data Protection, 1519 E Chapman Ave #342, Fullerton, CA 92831. We will respond to all requests within 30 days, or within the timeframe required by applicable law.
15. International data transfers
Information Direct is based in the United States. If you are located outside the United States, please be aware that your personal data will be transferred to and processed in the United States, where data protection laws may differ from those in your jurisdiction.
For transfers of personal data from the EEA, UK, or Switzerland to the United States, we rely on the European Commission's Standard Contractual Clauses (SCCs) as adopted under Commission Implementing Decision (EU) 2021/914, the UK International Data Transfer Addendum or International Data Transfer Agreement where applicable, and Swiss transfer safeguards where applicable, supplemented by transfer impact assessments and technical and organizational measures where appropriate. Information Direct is not currently listed here as self-certified under the EU-U.S. Data Privacy Framework unless we publish a current certification. We also maintain data processing agreements with sub-processors that include appropriate transfer safeguards.
To request a copy of the transfer terms we use, please contact privacy@informationdirect.us.
16. Security incident and breach notification
If we determine that a security incident triggers consumer, client, regulator, or state attorney general notification obligations, we will follow applicable federal, state, and international notice requirements. We aim to meet the shortest applicable notice deadline and use a 30-day baseline for state consumer breach notice planning unless a shorter or longer legal deadline applies to the specific incident. Our incident response process includes containment, investigation, preservation of relevant logs, legal review, client notification, regulator notification where required, and consumer notice where required.
17. Changes to this policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. Material changes will be posted on this page with an updated effective date. Continued use of our services after changes constitutes acceptance of the revised policy.
18. Contact us
If you have questions about this Privacy Policy or our data practices, please contact us:
Information Direct, Inc. · 1519 E Chapman Ave #342, Fullerton, CA 92831 · Phone: (800) 707-2450 · Email: privacy@informationdirect.us
For data protection inquiries related to the GDPR, you may also contact our Data Protection Contact at the address above or email privacy@informationdirect.us with the subject line "GDPR Inquiry." This contact is not a statutory DPO designation unless we publish a formal appointment.