Data Breach Notification Plan
Last updated: April 19, 2026
Purpose
This plan describes how CORR detects, assesses, contains, and reports security incidents that may affect the personal information of our users. It satisfies CORR's obligations under U.S. federal guidance (FTC Safeguards Rule principles) and state breach-notification laws, including but not limited to California (Cal. Civ. Code § 1798.82), New York (SHIELD Act), Texas (Tex. Bus. & Com. Code § 521.053), Virginia (VCDPA), and the breach laws of all 50 states and D.C.
Scope
This plan applies to any actual or reasonably suspected unauthorized acquisition, access, use, or disclosure of personal information stored or processed by CORR. It covers incidents involving CORR's own systems and incidents at our service providers (Google Firebase, Stripe, Square, Anthropic) that affect CORR users.
What Counts as a "Breach"
A breach is any event where personal information may have been exposed to an unauthorized party. Personal information includes: name, email, phone number, mailing address, account credentials, business records tied to an identifiable person, and any combination of data elements defined as "sensitive" or "personal" under applicable state law. Lost or stolen credentials, unauthorized database access, phishing of an administrator account, and a provider-side incident that names CORR data all qualify.
Detection & Intake
- Sources: Google Firebase security alerts, Stripe/Square provider notifications, user-reported abuse (hello@corrapp.com), internal log review.
- Triage: Incident logged with timestamp, source, affected systems, and preliminary classification within 24 hours of discovery.
- Containment: Rotate affected credentials, revoke sessions, suspend compromised accounts, and — if needed — take affected features offline.
Assessment
Within 72 hours of discovery, we determine:
- What data elements were accessed, exfiltrated, or exposed.
- How many users are affected and in which U.S. states.
- Whether the data was encrypted, redacted, or otherwise rendered unusable.
- Whether the incident is reasonably likely to result in identity theft, fraud, financial harm, or other material harm.
If the data was encrypted and the encryption key was not compromised, most state laws do not require user notification. That determination is documented in writing either way.
User Notification
If notification is required, affected users are notified through two channels simultaneously, without unreasonable delay — targeting within 30 days of discovery or sooner where state law requires (e.g., Colorado 30 days, Florida 30 days, Ohio 45 days):
- Direct email to every affected user at the address on file. Subject line is clearly marked as a security notice so it is not mistaken for marketing.
- System-wide in-app notification pushed through the mass-notification broadcast in the CORR admin panel. The notice appears in every user's app on next load and remains visible until acknowledged.
Using both channels ensures the notice reaches users who may have email-delivery issues or who log into the app before checking email. Every notice is written in plain English and includes:
- A description of the incident and the date or date range.
- The types of personal information involved.
- Steps CORR has taken to contain and remediate the incident.
- Steps the user can take to protect themselves (password reset, credit monitoring guidance, fraud alert instructions).
- Contact information for CORR's incident response point of contact.
- Any applicable state-specific language (e.g., California residents' right to obtain a police report).
Regulator & Third-Party Notification
| Trigger | Who Gets Notified | Timeline |
|---|---|---|
| >500 residents affected in any one state | State Attorney General (per state law) | Same time as user notice; often within 30–60 days |
| >500 California residents affected | California Attorney General via official portal | Concurrent with user notice |
| >1,000 residents affected (any single incident) | Nationwide credit reporting agencies (Equifax, Experian, TransUnion) | Without unreasonable delay |
| Payment card data involved | Stripe and/or Square (as processor), potentially card networks | Immediately |
| Credentials enabling fraud | Local law enforcement / FBI IC3 if criminal activity suspected | As soon as containment allows |
Service-Provider Incidents
If a CORR service provider (Google Firebase, Stripe, Square, Anthropic) notifies us of an incident affecting CORR users, we treat that notice as our own discovery date and run the assessment and notification workflow above. We require each provider to notify us of security incidents without unreasonable delay under our service agreements.
Documentation & Retention
Every incident — whether or not it rises to a reportable breach — is logged with: discovery date, source, affected systems, data elements, assessment outcome, notification decisions, and remediation steps. These records are retained for at least 5 years.
Post-Incident Review
After any reportable incident, CORR conducts a written post-mortem within 30 days covering root cause, what worked, what didn't, and concrete changes to prevent recurrence. The post-mortem is retained with the incident record.
Incident Response Contact
Report a suspected breach to hello@corrapp.com. For privacy-rights requests (not breach-related), use hello@corrapp.com.
CORR is a sole proprietorship based in Monticello, Kentucky. The owner is the designated incident response point of contact until such time as a dedicated security officer is appointed.
Plan Review
This plan is reviewed at least annually and whenever there is a material change to CORR's systems, service providers, or applicable law.
Related: Privacy Policy · Your Privacy Rights · Accessibility Statement · Home