privacy & cyber security measures
Updated 2026
Your privacy is a leading priority for us.
Personal information is collected to open your account(s), to process your transactions, and to help provide a better level of service. Your personal information is never sold to anyone. We protect the security and confidentiality of the personal information collected.
Core Planning, LLC will not under any circumstances sell your personal or account information to anyone; such information can be separated into the following categories:
Personal Information- This information may include, among other things, your name, address, phone number, social security number, marital status, spousal information if married, your occupation and employer, your tax bracket, name, address, and social security number of your beneficiaries, personal financial information that you provide on new account applications or other forms, or any additional information that you wish to share with us as your Advisor.
Information Regarding Your Account History - As part of establishing a business relationship with you, we collect and maintain information regarding your investment transactions and other activities. This includes items such as your account balance, payments, withdrawals, account activity, and correspondence with you.
Trust and Estate Information – As part of our trust or estate planning process, personal and financial documents such as trust agreements, wills, and tax records may be retained.
We do not disclose personal information to third parties for marketing purposes and would disclose such only via the following limited exceptions:
We may disclose personal information to companies or individuals that facilitate our business relationship with you (i.e. brokerage firms that implement the trades on your behalf) or as requested by you (i.e. your CPA, Family Attorney, Trusted Third Party, or other Advisors at your request).
We may disclose or report personal information in limited circumstances where it is believed in good faith the disclosure is required or permitted under law, for example, to cooperate with regulators or law enforcement authorities.
Mobile Information / SMS Privacy - No mobile information will be shared with third parties or affiliates for marketing or promotional purposes. Text messaging data will not be shared with any third parties under any circumstances, except with vendors or service providers that help us deliver such communications, or as required by law. If you consent to receive text messages from Core Planning, LLC, such messages will be limited to conversational, service, or account-related communications. Message and data rates may apply. Message frequency may vary. Reply STOP to opt out at any time.
How does Core Planning protect the confidentiality of your personal information?
The sharing of information with these entities is essential for to fully service clients and to satisfy legal and regulatory obligations. All of these entities have legal or other obligations with respect to the use and disclosure of your information. In addition, some of these entities may have to provide you their own privacy policies. If this policy on disclosing information ever changes, we will promptly notify you in writing. We also maintain physical, electronic, and procedural safeguards that comply with federal and industry standards to guard your nonpublic personal information.
We will continue to evaluate these efforts to protect personal information and make every effort to keep your personal information accurate and up to date.
If you identify any inaccuracy in your personal information, or you need to make a change to that information, please contact us so that we may promptly update our records. If, at any time in the future, it is necessary to disclose any of your personal information in a way that is inconsistent with this policy, we will give you advance notice of the proposed change so that you will have the opportunity to opt-out of such disclosure.
Cybersecurity practices:
Cybersecurity protocol should be taken very seriously. Below are the measures adopted to safeguard your personal data:
Online Form submission is accomplished through Cognito Forms HIPPA compliant server. That form data is transmitted across a protected 256 bit SSL (Secure Socket Layer) connection that uses a SHA256 Certificate. This is the same level of protection used by online banking or e-commerce providers.
Email: All email correspondence is done through a secure platform. But even though the platform is secure, email can be targeted once the transmission leaves the server. Because of this, email should only be used for general purposes. Account numbers, social security numbers, or other identifying data should not be transmitted via email unless through an encrypted document.
Custodian Access: In order to access your investment accounts via third party custodian, Dual Factor Authentication is always used. This means that in addition to the standard log in ID and Password, account access is only granted after a token-based authentication with a numerical code, reset after each log in.
Business Computers: In order to perform our day-to-day duties, desktops and laptops are both generally used. These are the only such devices used to access client data. Data is backed up on regular intervals onto physical external hard drives. All devices are encrypted, and Antivirus software is updated regularly and automatically.
Social media and Website: Core Planning has a presence on the web at www.corepln.com,
This website is static, contains no client data, and used strictly for generic informational purposes only.
Social Media pages (e.g. LinkedIn or Facebook) may be used for generic informational purposes and are not intended for specific investment guidance.
All the above categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties.
Incident Response Program:
Core Planning has developed an incident response program that is designed to detect, respond to, and recover from unauthorized access or use of our customer’s information. This plan is intended to comply with Regulation S-P amendments that go into effect for small firms on June 3rd, 2026. Core Planning has systems and processes in place to identify any potential cyber incidents, which include utilizing the resources of custodians and 3rd party vendors. The incident response plan will apply to: all Core Planning employees, advisors, associated persons, contractors, or anyone else under the authority of Core Planning with access to customer information. The Incident Response Program is intended to cover incidents involving: unauthorized access to customer information, unauthorized use of customer information, cyberattacks impacting customer information, the compromise of firm or client passwords, theft of firm devices, service provider security incidents, and any other attack that could impact the customers or employees of Core Planning.
Core Planning considers the following information to be sensitive and has the potential to cause harm to the customer if it were to be accessed by an unauthorized party: Social Security Number, Driver’s License or Passport number, Financial Account Numbers, Login Credentials, Date of Birth, Biometric records, or any other direct identifiers.
Guy Penn, CCO, will be primarily responsible for the firm’s incident response, customer notification, service provider due diligence, and the annual notice. The CCO may delegate these responsibilities as they see fit.
All employees are responsible for monitoring their systems and email for unusual activity or evidence of unauthorized access. The CCO will also monitor logs and access reports for suspicious activity. Part
In the event that the CCO or an associated person detects unusual activity or unauthorized access, an investigation will begin to determine the nature and the scope of the incident, what systems were impacted, what customer information was involved, which customers were potentially affected, and finally, whether unauthorized access occurred.
If the investigation uncovers that there was a breach, then the next step will be containment of the breach. This will depend on the system, type of breach, and how widespread it is. The firm will take all reasonable steps to prevent further unauthorized access or use.
Customer Notification:
In the event of unauthorized access to customer information, the firm is required to notify impacted customers as soon as reasonably practical but no longer than 30 days from the incident. The notification will include a description of the incident, what information may have been accessed, the date or timeframe of the incident, what actions were taken by the firm, recommended steps for the client to take to protect themselves, a firm contact for any questions, and any other applicable information.
Service Provider Due Diligence:
Core Planning conducts Due Diligence on all 3rd party service providers to ensure they meet the firm’s expectations of protecting client data. Core Planning relies on compliance technology firm Greenboard’s Due Diligence tool to conduct a majority of the Due Diligence. These reviews are documented and maintained.
Annual Notice:
Core Planning will annually provide all customers with a notice of the Firm’s Privacy Policy and our practices. The Firm will retain a copy of the notice and proof that it was provided to all customers of the Firm. Core Planning’s privacy policy is always available for viewing or to download on the Firm’s website.
We will provide notice of changes in these information-sharing practices.
If, at any time in the future, it is necessary to disclose any of your personal information in a way that is inconsistent with this policy, we will give you advance notice of the proposed change so that you will have the opportunity to opt-out of such disclosure when possible.