PrivacyPoint PLLC
Privacy Notice
This notice explains how PrivacyPoint PLLC (“PrivacyPoint,” “we”) collects, uses, retains, and discloses Personal Data on our website at privacypoint.ai (the “Site”). Our platform and professional services are governed by separate notices and engagement terms.
1. What we collect
You provide: contact and assessment request details — name, work email, company, phone, and the description of your inquiry — plus your cookie consent choices.
Collected automatically: server and security logs (IP address, user agent, requested pages) processed by our hosting and security providers; analytics events only if you opt in to analytics cookies (see our Cookie Notice).
We do not seek sensitive Personal Data through the Site; please do not include it in free-text fields.
2. Purposes and legal bases
| Purpose | Legal basis (where GDPR applies) |
|---|---|
| Responding to contact and assessment requests | Legitimate interests; steps prior to entering an engagement |
| Site security, abuse and bot prevention | Legitimate interests |
| Analytics (opt-in only) | Consent |
| Recording your consent choices | Legal obligation / legitimate interests |
| Handling privacy rights requests | Legal obligation |
3. Disclosure — service providers
We use a small set of providers under data protection agreements:
| Provider | Role | Location |
|---|---|---|
| Supabase, Inc. (on AWS) | Platform hosting: Postgres database, authentication, storage, and Edge Functions — the core application infrastructure. | EU (Frankfurt); DPA in place |
| Cloudflare, Inc. | Content delivery, TLS, WAF, bot mitigation, and DNS at the network edge for the website and platform. | Global edge network; DPA in place |
| Amazon Web Services (KMS & S3) | Encryption-key management (KMS) for field-level encryption and write-once (WORM) storage anchoring the audit log. Does not receive plaintext personal data. | EU region; DPA in place |
| Google LLC (Google Calendar) | Calendar integration: meeting details sync to the PrivacyPoint calendar when you schedule through the site. | United States; DPA in place |
The canonical, always-current register (with change notifications) lives in our Trust Center.
We do not sell Personal Data or share it for cross-context behavioral advertising. We may disclose Personal Data where required by law, or in connection with a reorganization of the firm.
4. International transfers
Site data is stored in the EU (Frankfurt). Where Personal Data is accessed from or transferred to the United States, we rely on appropriate safeguards including Standard Contractual Clauses. Questions: [email protected].
5. Retention
Contact and assessment submissions: 24 months from last interaction unless an engagement follows. Consent records: 5 years. Security logs: provider defaults, typically ≤ 30 days.
6. Your rights
Depending on your jurisdiction (GDPR/UK GDPR, Virginia CDPA, CCPA/CPRA, and other state laws), you may have rights to access, correct, delete, or receive a copy of your Personal Data, and to object to or restrict certain processing. Submit a request through our privacy request portal or email [email protected]. We respond within the timeframe required by law (generally 30–45 days) and will verify your identity before acting.
Appeals. If we decline a request, you may appeal to [email protected] with “Privacy Rights Appeal” in the subject line. EU/UK individuals may also lodge a complaint with their supervisory authority.
7. Children
The Site is not directed to individuals under 18 and we do not knowingly collect their data. Contact us for prompt deletion if you believe otherwise.
8. Changes and contact
We will post updates here with a new effective date and version. Contact: PrivacyPoint PLLC, [email protected].