Privacy Policy

1. Information We Collect

We collect the following categories of personal information (as those categories are enumerated in Cal. Civ. Code §1798.140(v) and comparable state laws). Not every category applies to every person who interacts with us.

• Identifiers — name, company name, postal address, email address, telephone number, IP address, and similar identifiers you provide or that are collected automatically when you visit our sites.
• Customer records — billing and payment information, account credentials, and professional contact details, including categories protected by Cal. Civ. Code §1798.80 (customer records).
• Commercial information — products or services purchased, considered, quotes requested, and service usage history.
• Internet or network activity — browsing information on our sites, interaction with emails and forms, device and browser type, access logs, and referring URLs.
• Geolocation data — approximate location derived from IP address. We do not collect precise geolocation (within 1,850 feet) from site visitors.
• Audio or visual — screenshots you send us as part of a support request or recorded calls that you expressly consent to.
• Professional or employment-related information — your role, company, and similar context when you contact us on behalf of a business.
• Inferences — characteristics we reasonably draw from the above, such as whether a lead is a good fit for a given service.
• Mobile application data — when using apps we develop: device identifiers, operating system version, app usage analytics, crash reports, and push notification tokens (where applicable).
• Communications and engagement records — lead intake data (including your name, email, phone, business name, stated project type, budget range, timeline, and the message you provide on a contact form), summaries and logs of our communications with you (calls, emails, meetings, and follow-ups), internal notes maintained by ArdinGate staff to coordinate service delivery across time, and pipeline status tracking (for example, whether a lead has been contacted, qualified, or converted). These records are accessible only to authorized ArdinGate staff through our internal CRM.

2. Sensitive Personal Information

Under CPRA (Cal. Civ. Code §1798.140(ae)), the following sensitive personal information (SPI) categories may apply:

• Account log-in credentials — usernames and passwords used to access Services we host for clients. Stored as salted hashes where technically feasible.
• Financial account information — limited to what is needed for billing; primary card data is handled by our payment processor and is not stored on our systems.

We do not collect: Social Security numbers, driver's license numbers, state identification numbers, passport numbers, racial or ethnic origin, religious or philosophical beliefs, union membership, the contents of personal communications not directed to us, genetic data, biometric data for purposes of uniquely identifying an individual (see §16 below), health information, or information about sex life or sexual orientation.

We use SPI only for the purposes specifically permitted by Cal. Civ. Code §1798.121(a) — providing the Services, ensuring security and integrity, short-term transient use, preventing fraud, and complying with legal obligations. You may request that we limit our use of SPI to these purposes by emailing privacy@ardingate.com. We do not use SPI to infer characteristics about you.

3. Sources of Information

• Directly from you (contact forms, emails, onboarding intake, account setup).
• Automatically from your device (cookies, server logs, analytics).
• From service providers who assist us (payment processors, hosting providers).
• From publicly available sources (business registries, corporate websites) used to verify identity or prepare project proposals.

4. How We Use Information

Information collected is used to:

• Provide, operate, maintain, and improve the Services;
• Process payments and manage subscriptions;
• Communicate with you about support, updates, renewals, invoices, and service notices;
• Respond to inquiries, proposals, and quote requests;
• Monitor and improve performance, reliability, and security (including detecting and preventing fraud and unauthorized access);
• Conduct short-term internal research and analytics in aggregated or de-identified form;
• Comply with legal, regulatory, tax, and contractual obligations; and
• Establish, exercise, or defend legal claims.

5. How We Share Information

ArdinGate does not sell personal information and does not share personal information for cross-context behavioral advertising, as those terms are defined under Cal. Civ. Code §1798.140(ad) and §1798.140(ah).

We share personal information only with the following categories of recipients, and only as necessary for the purposes described in this policy:

• Payment processors and billing providers — to charge you, issue invoices, and process refunds (see §6 for a list).
• Hosting, infrastructure, and security partners — to operate our systems (see §6 for a list).
• Analytics providers — to measure site traffic and improve UX (see §6).
• Email and communications providers — to deliver transactional messages.
• Professional advisors — accountants, attorneys, insurers, in furtherance of legitimate business purposes.
• Legal authorities and courts — in response to valid legal process or where reasonably necessary to protect rights, property, or safety.
• Successor in interest — in the event of a merger, acquisition, or sale of substantially all of ArdinGate's assets, subject to this policy or an equivalent.

Our service providers and contractors are bound by written agreements that restrict them from using personal information for any purpose other than the specific services they provide to us, consistent with Cal. Civ. Code §1798.140(ag) and §1798.140(j).

CRM data — including lead records, client records, internal notes, communication logs, contracts and their signature audit trails, and administrative authentication logs — is not shared with any third party except as described above (legal process, professional advisors, or a successor in interest). In particular, CRM data is not transmitted to any analytics provider, advertising platform, or SaaS CRM vendor.

6. Third-Party Services We Use

We rely on a small, deliberately chosen set of third-party providers. Each is listed below with the category of data involved and the provider's own privacy materials.

• Google Analytics 4 (Google LLC) — aggregated site traffic and event analytics. Google Signals and advertising features are disabled. IP addresses are processed only for approximate geolocation and not stored in raw form. Retention: 14 months (default). See Google Privacy Policy.
• Hetzner Online GmbH (web hosting) — stores site files, databases, and server logs. Servers are located in Germany; data is processed within the EU/EEA. See Hetzner Privacy Policy.
• Invoice Ninja (self-hosted by ArdinGate) — billing, invoicing, and quote management. Invoice Ninja runs on infrastructure operated by ArdinGate; we do not transmit billing data to the Invoice Ninja hosted service. Where card or ACH payment is offered through an invoice, the gateway (for example, a merchant processor configured in Invoice Ninja) receives card data directly from you on a hosted payment page and is the controller of that payment data. The specific processor in use is identified on the invoice payment page before you submit payment.
• Apple App Store & Google Play — where you install mobile apps we develop, Apple and Google collect data as described in their own policies.
• Firebase / Google Analytics for Firebase — where used in mobile applications we develop for clients, for crash reports and aggregate usage. Retention: 60 days (default), configurable per app.
• ArdinGate CRM (self-hosted by ArdinGate) — our internal client relationship and project management system. Stores:
  • Lead records from contact form submissions and inquiries — name, email, phone, business name, subject, stated project type, budget range, timeline, and message — along with a lead status (new, contacted, qualified, converted, or closed) and any internal notes added during follow-up;
  • Client records — contact details, business identity, lifecycle status (lead, active, inactive, archived), and free-form internal notes maintained by ArdinGate staff;
  • Project records — scope, pricing, timelines, milestones, status, and free-form internal notes;
  • Quote line items — the services, quantities, and prices that make up a quote or project, drawn from our internal services catalog;
  • Payment records — amount, method (cash, check, bank transfer, or other), date, and any notes attached to an individual payment;
  • Communication logs — summaries of calls, emails, meetings, and follow-ups with you, categorized by interaction type;
  • Contracts and their e-signature audit trail — the contract text and variable substitutions, the typed or drawn signature captured at signing, a cryptographic hash of the signed document used to verify it has not been altered, and a per-event activity log recording each event (sent, viewed, signed, declined, expired, voided) with the timestamp, IP address, and user agent collected at that event — as required by the federal ESIGN Act (15 U.S.C. §§ 7001 et seq.) and the Florida Uniform Electronic Transaction Act (Fla. Stat. §§ 668.50) for enforceability;
  • Third-party processor reference identifiers — the IDs our billing tool (Invoice Ninja) assigns to your client, invoice, or payment records, stored so we can cross-reference our records with the billing system;
  • Administrative authentication logs — records of login attempts to the CRM (timestamp, IP address, user agent, and whether the attempt succeeded or was throttled), used solely for security monitoring. These normally contain only ArdinGate staff data but may incidentally include information from a failed or attacker-attempted login.
  Runs exclusively on ArdinGate-operated infrastructure; no third-party CRM vendor or SaaS is involved.

This list is current as of the date at the top of this policy. We will update it when we add or change a material provider.

7. Cookies & Tracking Technologies

Our websites use cookies and similar technologies. We categorize cookies as follows:

• Strictly necessary — required for core site functions, including session management, CSRF protection, and form submission. These cannot be disabled without breaking the site.
• Functional — remember preferences (for example, policy-nav open/close state). Optional.
• Analytics — help us understand aggregate site traffic. We use Google Analytics 4 with advertising features off and IP anonymization on. We honor the Global Privacy Control signal as an opt-out for analytics cookies.
• Advertising — we do not use advertising cookies or pixels.

You may control cookies through your browser settings or a Global Privacy Control browser extension. Disabling strictly necessary cookies may break parts of the site.

8. Do Not Track & Global Privacy Control

Do Not Track (DNT) is a legacy browser setting. Because there is no industry-standard meaning for DNT, we do not change our behavior in response to DNT signals.

We do honor the Global Privacy Control (GPC) signal as a valid opt-out of sale or sharing of personal information and as a request to limit use of sensitive personal information, consistent with Cal. Code Regs. tit. 11, §7025 and CPPA Enforcement Advisory No. 2024-01 (March 2024). For details, see our Do Not Sell or Share My Personal Information page.

9. Data Security

We implement reasonable administrative, technical, and physical safeguards designed to protect personal information. These include TLS/HTTPS encryption in transit, salted password hashing, two-factor authentication for administrator access, principle of least-privilege access, and periodic review of service-provider controls. However, no method of transmission or storage is completely secure, and absolute security cannot be guaranteed.

Signed contracts are additionally protected by a cryptographic hash of the signed document, which is stored alongside the contract record and allows ArdinGate and the signer to verify that the document has not been altered after signing.

10. Data Retention

Information is retained only for as long as necessary to provide the Services, fulfill legal obligations, resolve disputes, or enforce agreements. Approximate retention periods:

• Lead records from contact form submissions: 2 years from last contact
• Internal notes and communication logs: 3 years following the last engagement with the client
• Billing and payment records: 7 years (tax and legal requirements)
• Hosting account data: duration of service plus 30 days following cancellation
• Website analytics: 14 months (Google Analytics default)
• App crash reports and usage analytics: 60 to 90 days
• Client project files and deliverables: 3 years following project completion
• Signed contracts and legal records: 7 years following termination
• E-signature audit records (contract events, signer IP and user agent, signature image, signature hash): life of the associated contract plus the contract retention period (7 years)
• Administrative authentication logs: 12 months

We may retain information beyond these periods where required by law, ongoing legal proceedings, or legitimate business purposes. When we no longer have a need to retain personal information, we delete or de-identify it.

11. State Privacy Rights

Depending on your state of residence, you may have any or all of the following rights with respect to personal information we hold about you:

• Right to Know / Access. Request information about the personal information we collect, use, and share.
• Right to Correct. Request correction of inaccurate personal information.
• Right to Delete. Request deletion of personal information we hold about you, subject to exceptions (such as tax records and legal defense needs).
• Right to Portability. Receive a copy of your personal information in a structured, commonly used, machine-readable format where technically feasible.
• Right to Opt Out of Sale or Sharing. See our Do Not Sell or Share page.
• Right to Limit Use of Sensitive Personal Information.
• Right to Opt Out of Profiling. Where profiling has legal or similarly significant effects. We do not currently conduct such profiling.
• Right to Appeal. If we deny a rights request, you may appeal by replying to our response or emailing privacy@ardingate.com with "Appeal" in the subject line.
• Right to Non-Discrimination. Exercising any of these rights will not affect the quality or price of Services provided to you.

California (CCPA/CPRA)

California residents have the rights described above under Cal. Civ. Code §§1798.100 through 1798.199.100. We acknowledge verifiable requests within ten (10) business days and respond substantively within forty-five (45) calendar days, with a possible forty-five (45) day extension on written notice.

ArdinGate is not a "data broker" as defined by Cal. Civ. Code §1798.99.80 and is not registered under the California Delete Act. We only collect personal information directly from our own clients, prospects, and site visitors.

Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, and Virginia

If you are a resident of one of the states that has enacted a comprehensive consumer privacy law (as of the date of this policy: CO, CT, DE, IN, IA, KY, MD, MN, MT, NE, NH, NJ, OR, RI, TN, TX, UT, VA), you have rights substantially similar to those described above. To exercise those rights, submit a request to privacy@ardingate.com. We will treat your request under the law of your state of residence where applicable.

For Texas residents: we do not sell sensitive personal data or biometric data.

Florida

The Florida Digital Bill of Rights (Fla. Stat. §§501.701 et seq.) applies to controllers above specific revenue thresholds. ArdinGate is below those thresholds, but we extend comparable rights on request to Florida residents. Submit requests to privacy@ardingate.com.

12. Verification and Authorized Agents

We will verify your identity using information you have previously provided to us and, where necessary, by asking you to confirm specific details. We will not create new accounts or require additional personal information beyond what is reasonably necessary to verify the request.

You may use an authorized agent to submit a request on your behalf. We will require proof of the agent's authorization (for example, a signed permission, a power of attorney, or proof that the agent is registered with the California Secretary of State) and may contact you directly to verify the request.

13. International Data Transfers

ArdinGate is located in the United States, and personal information we collect is processed in the United States. If you access the Services from outside the United States, information you provide will be transferred to and processed in the United States. Where we process personal data of individuals in the European Economic Area, the United Kingdom, or Switzerland, we rely on Standard Contractual Clauses or the EU-U.S. Data Privacy Framework where applicable. Individuals in those regions have additional rights, including rights of access, rectification, erasure, restriction of processing, data portability, objection, and the right to lodge a complaint with a supervisory authority. Our lawful bases for processing include performance of a contract (for clients), legitimate interests (for site analytics and security), and consent (where required).

14. Push Notifications

Mobile applications developed by ArdinGate may request permission to send push notifications to your device. You may opt out at any time through your device's notification settings. Disabling push notifications does not affect core app functionality.

15. Third-Party Links & App Stores

Our sites and Services may contain links to third-party websites. ArdinGate is not responsible for the privacy practices or content of those sites. Mobile applications we develop and distribute through the Apple App Store or Google Play Store are also subject to the privacy practices of those platforms.

16. Biometric Data

ArdinGate does not collect, store, or process biometric identifiers or biometric information as defined under the Illinois Biometric Information Privacy Act (740 ILCS 14), the Texas Capture or Use of Biometric Identifier Act (Tex. Bus. & Com. Code §503.001), the Washington biometric privacy statute (RCW 19.375), or comparable laws. Where an app we develop uses device-level biometrics (for example, Face ID or Touch ID on iOS) for local authentication, the biometric data remains on the user's device and is not transmitted to or stored by ArdinGate.

17. Children's Privacy

The Services are not directed at individuals under the age of thirteen (13). ArdinGate does not knowingly collect personal information from children. If we become aware that we have inadvertently collected information from a child under 13, we will take steps to delete it promptly. Parents or guardians who believe a child has provided information may contact privacy@ardingate.com.

18. Data Breach Notification

In the event of a data breach that compromises personal information, ArdinGate will notify affected individuals and applicable authorities in accordance with Florida law (Fla. Stat. §501.171), California Civil Code §1798.82, and any other applicable state or federal data breach notification statute, within the timeframes required by those laws.

19. Policy Updates

ArdinGate may update this Privacy Policy from time to time. Material changes will be posted on this page with an updated "Last Updated" date. For significant changes affecting a specific client account, we will provide notice via email to the address associated with your account. Continued use of the Services after changes take effect constitutes acceptance. On request, we will provide a copy of the prior version of this policy that was in effect at a specific date.

20. Contact

For privacy-related questions, rights requests, or concerns, contact us at:

• Privacy requests and rights: privacy@ardingate.com
• General inquiries: contact@ardingate.com
• Accessibility: accessibility@ardingate.com (see our Accessibility Statement)
• Opt out of sale or sharing: Do Not Sell or Share My Personal Information

← Back to Home