Privacy Policy

Plain-English summary

We try to collect as little personal data as possible. We do not sell or share your data with advertisers. We do not run third-party tracking, retargeting, or behavioural advertising.

If you ask us a question on this site, we hold what you typed. If you hire us, we hold the records we need to do the work, send invoices, and meet our legal obligations.

You have rights to access, correct, delete, port, restrict, and object — explained in section 09. To exercise any right, email legal@emeraldstatic.com. We reply within 30 days, free of charge.

We are not a law firm. This document is written in plain English by our team. It is accurate to the best of our knowledge but not a substitute for legal advice for your specific situation.

Who controls your data

The data controller (and "business" for CCPA/CPRA purposes) is the entity named below.

Legal name

EMERALD STATIC LLC

Registered address

259 E Works St, Sheridan, WY 82801, USA

General contact

hello@emeraldstatic.com

Privacy contact

legal@emeraldstatic.com

Phone

+1 (912) 915-9764

We do not currently have an obligation to appoint a Data Protection Officer (DPO) under GDPR Article 37, nor an EU/UK representative under Article 27, because our processing volume and risk profile do not meet the statutory thresholds. If that changes we will update this section and notify affected users.

What this policy covers

This policy applies to emeraldstatic.com, any subdomain we operate under it, and the services we provide to clients under a signed Statement of Work.

It does not cover websites we build for clients — those sites have their own privacy policy set by the client, and the client is the controller of personal data collected through them. We act only as a processor for those sites under a separate Data Processing Agreement.

It also does not cover third-party services we link to. When you click a link to an external site (e.g. a Pexels photographer’s page), that site’s privacy policy applies.

What personal data we collect

We collect four categories of personal data, listed in the table below. We do not collect special-category data (race, religion, health, biometrics, sexuality, trade-union membership, political opinions) or government identifiers (SSN, passport, driver’s licence) through this website.

Identity & contact data

Name, business email, phone number, company name, job title — collected when you submit a form or hire us.

Site-content data

The URL you submit to the mini-audit widget, the URL of any current site you share with us, and the free-text message you write in the contact form.

Technical data

IP address, browser type, device class, referring URL, pages viewed, timestamps. Collected automatically by our hosting provider and by Plausible Analytics in aggregated form.

Engagement data

If we work together: contract terms, invoices paid, access credentials you grant us, project files, call recordings (with your consent), and the deliverables we produce.

Sensitive personal information (CPRA)

We do not collect, use, or share "sensitive personal information" as that term is defined under the California Privacy Rights Act (CPRA). This includes precise geolocation, racial or ethnic origin, religious beliefs, union membership, mail and email contents (except where you send them to us), genetic or biometric data, health information, and sex-life or sexual-orientation data.

Because we do not process sensitive personal information, the CPRA right to limit the use of sensitive personal information is not applicable to our processing. We will update this section if that ever changes.

Why we use it (purpose) and lawful basis (GDPR)

For each category of data we process, we use it for one or more of the purposes below, on one of the GDPR lawful bases listed.

Respond to enquiries

Lawful basis: Article 6(1)(b) performance of pre-contract steps, or 6(1)(f) legitimate interest in running our business.

Deliver client services

Lawful basis: Article 6(1)(b) performance of contract.

Send invoices and keep tax records

Lawful basis: Article 6(1)(c) legal obligation (US tax law, Wyoming state law).

Send transactional emails (replies, audit deliveries)

Lawful basis: Article 6(1)(b) performance of contract / 6(1)(f) legitimate interest.

Send newsletter or marketing emails

Lawful basis: Article 6(1)(a) consent. You can withdraw at any time via the unsubscribe link in every email or by emailing us.

Improve our website (anonymous analytics)

Lawful basis: Article 6(1)(f) legitimate interest. We use cookieless analytics, no tracking pixels, no cross-site identifiers.

Detect and prevent abuse, fraud, security incidents

Lawful basis: Article 6(1)(f) legitimate interest in protecting our systems and our clients’ systems.

Defend or assert legal claims

Lawful basis: Article 6(1)(f) legitimate interest, or 6(1)(c) legal obligation.

We do not use your personal data to train, fine-tune, or otherwise build machine-learning models, and we do not allow our subprocessors to do so on data derived from this site.

California-specific disclosures (CCPA / CPRA)

If you are a California resident, the CCPA and CPRA give you specific rights described in section 09. This section explains what we collect about you, in the format California law requires.

Categories of personal information we have collected in the last 12 months: identifiers (name, email, IP address), commercial information (services purchased), internet activity (pages viewed on this site), professional information (company, job title), and inferences drawn from the above (e.g. that you are likely a small-business owner researching website vendors).

We have not sold or shared personal information for cross-context behavioural advertising in the last 12 months, and we do not do so today. There is no "Do Not Sell or Share My Personal Information" link on this site because we have nothing to opt you out of — we never put you in.

We do not use or disclose sensitive personal information beyond the purposes permitted by CPRA § 1798.121(a), so the right to limit the use of sensitive personal information does not apply.

To submit a CCPA/CPRA request (right to know, delete, correct, opt out of selling/sharing, limit sensitive PI), email legal@emeraldstatic.com with "California privacy request" in the subject. We verify identity by replying to the email address we hold on file for you, or by requesting two additional matching identifiers. Authorized agents may submit on your behalf with written, signed authorization.

Service providers and subprocessors

We use the third-party services below to run the business. Each one sees only the data it needs to do its job. None of them are paid for or permitted to use your data for their own commercial purposes. A current list with addresses, processing purposes, and locations is maintained in our subprocessor register, available on request.

Google Workspace

Email, calendar, file storage. United States. Standard Contractual Clauses on file.

HubSpot

CRM for contact records and pipeline notes. United States.

Xero

Invoicing and bookkeeping. United States/New Zealand.

Notion

Internal project documentation. United States.

GitHub

Source code, design assets, deployment configuration. United States.

Figma

Design files. United States.

Plausible Analytics

Cookieless site analytics. European Union (Germany).

Postmark (ActiveCampaign)

Transactional email delivery. United States.

Fathom Video

Recorded video calls and AI summaries, where both parties have consented. United States.

Cloudflare

DNS, CDN, DDoS mitigation, edge hosting. Global edge network.

1Password

Encrypted credential storage. Canada.

If we add, remove, or replace a subprocessor that processes personal data on our behalf, we update this list and bump the version number at the top of this page. Active clients on a signed Data Processing Agreement also receive at least 30 days’ written notice and may object on reasonable grounds.

Your rights and how to exercise them

Whether you are in the European Union, the United Kingdom, California, or elsewhere, we honour the rights below for everyone, regardless of jurisdiction. We aim to respond within 5 business days and we will complete the request within 30 days (45 days under CCPA, extendable by 45 more for complex requests with notice).

• Right of access — receive a copy of the personal data we hold about you.
• Right to rectification — correct inaccurate or incomplete data.
• Right to erasure (“right to be forgotten”) — delete data we hold, subject to legal retention obligations (e.g. seven-year tax records).
• Right to restriction — pause our processing while a dispute is resolved.
• Right to data portability — export your data in a structured, machine-readable format.
• Right to object — object to processing based on legitimate interest, including direct marketing.
• Right to withdraw consent — for processing based on consent (e.g. newsletter, call recording), withdraw it at any time.
• Right not to be subject to automated decision-making — we do not make automated decisions with legal or similarly significant effects about you.
• Right to non-discrimination — exercising any privacy right will not affect the price, quality, or availability of our services.
• Right to lodge a complaint — with your supervisory authority (in the EU, your national DPA; in the UK, the ICO; in California, the Attorney General or the California Privacy Protection Agency).

To exercise any right, email legal@emeraldstatic.com from the address we hold for you, or with enough additional information to verify your identity. We will not charge you a fee unless requests are manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act on the request (with reasons given).

How long we keep data

We keep personal data only as long as we need it for the purpose we collected it for, or as long as the law requires.

Contact-form submissions that did not lead to an engagement

12 months from last interaction, then deleted from the CRM.

Active client records

For the duration of the engagement, plus seven years after the final invoice (US tax-record retention).

Aggregated and anonymised analytics

36 months for historical comparisons. Anonymous on collection; cannot be linked back to you.

Newsletter subscribers

Until you unsubscribe, plus 30 days for audit logging.

Email correspondence

Indefinitely while the relationship is active; archived per Google Workspace defaults thereafter.

Backups

Rotated on a 90-day cycle. Deletion requests are honoured in the live systems immediately and propagate through backups within 90 days.

International data transfers

We are based in the United States. Most of our subprocessors operate from the United States, with some processing in the EU (Plausible Analytics) and Canada (1Password). When we transfer personal data of EU/UK/Swiss residents to the United States, we rely on one of the transfer mechanisms below.

• The EU–US Data Privacy Framework, where the receiving processor is self-certified.
• Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), where the processor is not Data Privacy Framework certified.
• Where required for UK data, the UK Addendum to the EU SCCs, issued by the ICO.

If you would like a copy of the transfer mechanism applicable to a specific subprocessor, email legal@emeraldstatic.com and we will send the relevant clauses or certification reference.

Cookies and similar technologies

This site does not use marketing cookies, advertising cookies, or third-party tracking pixels. We use one strictly-necessary cookie when you submit the contact form (to prevent duplicate submissions); it expires after 24 hours.

Our analytics provider, Plausible, is cookieless and does not collect personally identifying information.

Full details — including a per-cookie table and how to control them — are on our

• Cookie Policy at /cookies.

How we secure data

We follow industry-standard administrative, technical, and physical safeguards proportional to the sensitivity of the data we hold. These include encryption in transit (TLS 1.2+ for all traffic) and at rest (AES-256 on managed databases), full-disk encryption on team laptops, hardware-key or app-based multi-factor authentication on every account that supports it, a role-based access control model, regular dependency scanning, and quarterly access reviews.

Subprocessor security is reviewed at onboarding and re-reviewed annually. We will provide a summary of our controls, our subprocessor list, and our incident-response runbook on request to enterprise prospects under NDA.

If we discover a personal-data breach, we will notify the supervisory authority within 72 hours of becoming aware of it (where required under GDPR Article 33) and notify affected individuals without undue delay where there is a high risk to their rights and freedoms (Article 34). For California residents we follow California Civil Code § 1798.82 notification timing.

Full security posture is described on our /security page.

Children

This is a business-to-business service. We do not knowingly collect personal data from anyone under 16 (under 13 for COPPA in the US). If you believe a child has provided us with personal data, email legal@emeraldstatic.com and we will delete it within 30 days.

Automated decision-making and profiling

We do not use automated decision-making, including profiling, in any way that produces legal or similarly significant effects on you. Every full audit, proposal, or recommendation we send is reviewed by a human team member before it reaches you.

Changes to this policy

When we change this policy, we update the version number and "last updated" date at the top. Substantive changes — anything that materially affects how we handle data — are emailed to active clients and current newsletter subscribers at least 30 days before they take effect. Continuing to use the site or our services after the change takes effect counts as acceptance of the updated policy.

Complaints and supervisory authorities

If you believe we have mishandled your personal data, please contact legal@emeraldstatic.com first — we want to fix it. If you remain dissatisfied, you can complain to the supervisory authority in your jurisdiction.

European Union

Your national Data Protection Authority — list at edpb.europa.eu/about-edpb/about-edpb/members_en

United Kingdom

Information Commissioner’s Office (ICO) — ico.org.uk/make-a-complaint/

California, USA

California Privacy Protection Agency (CPPA) — cppa.ca.gov, or the Attorney General — oag.ca.gov/privacy

Other US states with privacy laws (CO, CT, VA, UT, TX, etc.)

Your state Attorney General.