Privacy Policy

1. Introduction

Garnet Grid Consulting LLC ("we," "our," or "us") respects your privacy and is committed to protecting the personal information you share with us. This Privacy Policy explains how we collect, use, disclose, retain, and safeguard your information when you visit garnetgrid.com and any subdomains, portals, or applications operated by us (collectively, the "Site"), including our Garnet knowledge engine and client portal. Please read this policy carefully. By accessing or using the Site, you agree to the terms of this Privacy Policy. If you do not agree, please discontinue use of the Site immediately.

2. Information We Collect

We collect information in the following categories:

• Personal Data: Information you voluntarily provide, including your name, email address, phone number, company name, job title, and any message content submitted through our contact form or client portal registration.
• Account Data: If you create an account on our client portal, we collect your login credentials (email and hashed password) and authentication tokens managed through our identity provider.
• Derivative Data: Information automatically collected when you access the Site, including your IP address, browser type and version, operating system, referring URL, pages visited, time and date of access, time spent on pages, and unique device identifiers.
• Analytics Data: Aggregated and anonymized usage data collected through Google Analytics 4, including page views, session duration, geographic region (country/city level), device category, and user flow through the Site.
• Form Submission Data: Information submitted through our contact forms, which is processed by our contact-relay Worker (running on Cloudflare) and stored briefly in a Cloudflare D1 database for operational follow-up.

3. Cookies & Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience on the Site. These include:

• Essential Cookies: Session cookies required for authentication and portal access. These are managed by our identity provider (Supabase) and are necessary for the Site to function.
• Analytics Cookies: Google Analytics 4 places cookies (e.g., _ga, _ga_*) to distinguish unique users and track session information. These cookies expire after 2 years and 24 hours, respectively.
• Preference Cookies: We store your theme preference (light/dark mode) in your browser's local storage. This data never leaves your device.

You can control cookies through your browser settings. Disabling cookies may affect the functionality of certain features, particularly the client portal.

4. Subprocessors & Third-Party Services

Subprocessors (the providers that physically store or process your data on our behalf):

• Cloudflare, Inc. — Edge hosting (Cloudflare Pages), serverless compute (Workers + Pages Functions), object storage (R2), key-value store (KV), and DNS. Data transit may pass through any Cloudflare PoP. Privacy Policy.
• Stripe, Inc. — Payment processing for one-time purchases and subscriptions. Stripe receives card data directly (we never see it). Privacy Policy.
• Garnet Postal (self-hosted) — Transactional email (order confirmations, drip sequences). Operated by Garnet Grid on infrastructure we control; no third-party SMTP relay.
• Google LLC — Google Analytics 4 (analytics), Google Ads remarketing (advertising), Google Tag Manager first-party serving. Data may transfer to the United States under Standard Contractual Clauses. Analytics are gated by your consent choice. Privacy Policy.
• Meta Platforms, Inc. — Facebook pixel for cross-context behavioral advertising. Loaded only after consent. Privacy Policy.
• LinkedIn Corporation — LinkedIn Insight pixel for cross-context behavioral advertising. Loaded only after consent. Privacy Policy.
• Anthropic / OpenAI / ElevenLabs / Cartesia / Google (Gemini) — Large-language-model and text-to-speech APIs that power optional interactive tools on the site (chat, audit-baseline, TTS, schema audit). Inputs you submit to these tools are processed by the relevant vendor; outputs are not retained beyond your session.
• Cloudflare D1 — Contact form submissions are stored in a Cloudflare D1 database for operational follow-up (no third-party form processor is used).
• Discord, Inc. — Operational webhooks for internal alerting (no end-user data is forwarded).

We do not knowingly engage any subprocessor not listed above. We do not sell your personal data. Use of the LinkedIn / Meta / Google Ads pixels may be considered "sharing for cross-context behavioral advertising" under CPRA — see Section 8 for your opt-out rights.

5. Use of Your Information

We use information collected about you for the following purposes:

• To respond to inquiries and fulfill service requests submitted via the contact form.
• To create and manage client portal accounts and authenticate users.
• To deliver consulting services, reports, and AI-generated insights through our Garnet knowledge engine.
• To analyze website usage, improve Site performance, and optimize user experience.
• To send administrative communications such as engagement confirmations, invoices, and service updates.
• To detect, prevent, and respond to fraud, security incidents, or unauthorized access.
• To comply with applicable legal obligations and enforce our Terms of Service.

6. Disclosure of Your Information

We may disclose your information in the following limited circumstances:

• By Law or to Protect Rights: If required by law, subpoena, court order, or government regulation, or if we believe disclosure is necessary to investigate potential violations, protect our rights, property, or safety, or protect the rights, property, or safety of others.
• Service Providers: To trusted third-party vendors who assist in operating the Site (as listed in Section 4), subject to confidentiality obligations.
• Business Transfers: In connection with any merger, acquisition, sale of assets, or financing, your information may be transferred as part of that transaction. We will notify you via email or prominent notice on the Site of any change in ownership.
• With Your Consent: We may disclose information for any other purpose with your explicit written consent.

We do not sell your personal information. We have not sold personal information in the preceding 12 months.

7. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes described in this policy, unless a longer retention period is required or permitted by law. Specifically:

• Contact form submissions: Retained for 3 years from date of submission, then permanently deleted.
• Client portal accounts: Retained for the duration of your engagement plus 3 years, after which accounts are deactivated and data is anonymized or deleted upon request.
• Analytics data: Google Analytics data retention is set to 14 months. Aggregated, non-identifiable analytics may be retained indefinitely.
• Server logs: Access logs are retained for 90 days for security and troubleshooting purposes.

8. Your Privacy Rights

Depending on your location, you may have the following rights regarding your personal information:

California Residents (CCPA/CPRA)

If you are a California resident, you have the right to:

• Know what personal information we collect, use, and disclose.
• Delete your personal information, subject to legal exceptions.
• Opt out of the sale or sharing of personal information. (Note: We do not sell personal information.)
• Non-discrimination for exercising your privacy rights.

European Economic Area Residents (GDPR)

If you are located in the EEA, you have the right to:

• Access your personal data and receive a copy.
• Rectify inaccurate or incomplete personal data.
• Erase your personal data ("right to be forgotten").
• Restrict processing of your personal data.
• Data portability — receive your data in a structured, machine-readable format.
• Object to processing based on legitimate interests.

To exercise any of these rights, contact us at garnetgrid@gmail.com. We will respond within 30 days (45 days for CCPA requests, with notice of extension if needed).

Right to lodge a complaint. EEA, UK, and Swiss residents have the right to lodge a complaint with their local data-protection supervisory authority if they believe our processing of their personal data infringes applicable law. You can find your supervisory authority via the European Data Protection Board's member list (UK: ICO; Switzerland: FDPIC). We'd appreciate the chance to address concerns first — please email us before filing — but this is your right and we don't gate it.

9. Children's Privacy

The Site is not intended for individuals under the age of 18. We do not knowingly collect personal information from children under 13 (or 16 in the EEA). If we learn that we have collected personal information from a child under these ages, we will promptly delete that information. If you believe a child has provided us with personal information, please contact us at garnetgrid@gmail.com.

10. Security

We implement administrative, technical, and physical security measures to protect your personal information, including:

• HTTPS/TLS encryption for all data transmitted between your browser and our servers.
• Hashed and salted password storage — we never store plaintext passwords.
• Role-based access controls for client portal and administrative systems.
• Regular security reviews and monitoring for unauthorized access.

While we use commercially reasonable measures to protect your information, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security.

11. Do Not Track, GPC & Do Not Sell or Share

Do Not Track (DNT). Some browsers transmit DNT signals. We do not respond to DNT because no uniform standard for handling it has been adopted.

Global Privacy Control (GPC). We honor the GPC signal. If your browser sends GPC, the consent banner auto-declines on your behalf and no remarketing or analytics pixels load — this is recorded as a Decline in our consent log. You don't need to take any action.

Do Not Sell or Share My Personal Information. California residents and other users covered by laws granting equivalent rights may opt out of "sale" or "sharing" of personal information. Garnet Grid does not sell personal information for money. We do, however, load Google Ads, Meta Pixel, and LinkedIn Insight tags after explicit consent — under CPRA those may be considered "sharing for cross-context behavioral advertising." To opt out:

• Click Decline on the cookie banner (visible on first visit; available again by clearing the gg_cookie_consent entry in your browser's local storage).
• Enable Global Privacy Control in your browser — we honor it automatically.
• Email garnetgrid@gmail.com with subject "Do Not Sell or Share" — we will record your preference within 15 days.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. When we make material changes, we will update the "Last Updated" date at the top of this page. For material changes that significantly affect how we handle your personal data, we will provide prominent notice on the Site or contact you directly via email. Your continued use of the Site after any modifications constitutes your acknowledgment and acceptance of the updated Privacy Policy.

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

Garnet Grid Consulting LLC
New York, NY
garnetgrid@gmail.com

For privacy rights requests (CCPA, GDPR), please include "Privacy Rights Request" in the subject line and specify the right you wish to exercise.

14. Version History

Material changes to this Privacy Policy, in reverse chronological order. Minor wording edits not listed.

• 2026-05-13 — Rewrote subprocessor list (Section 4) to name Cloudflare, Stripe, Postal sovereign, Google, Meta, LinkedIn, Anthropic, OpenAI, ElevenLabs, Cartesia, Gemini, Cloudflare D1, Discord (replacing inaccurate Formspree + GitHub Pages references). Added Section 11 covering GPC honoring, the CCPA "Do Not Sell or Share" opt-out, and the standing workflow. Added right-to-lodge-a-complaint and supervisory authority pointer for EEA/UK/Swiss residents. Switched the "Last Updated" auto-date JavaScript (which silently overwrote the date to today on every page load) for a static Effective: date.
• 2026-02-16 — Initial published version.