Privacy & Data Policy

NeptuneOps is a California-based analytics and campaign management platform.

Role by context

• Controller/Business: For vendor-sourced and platform-generated datasets we host to power product features.
• Processor/Service Provider: For customer-uploaded data and processing performed strictly under a customer’s documented instructions.

• Minimal account data for authenticated users (technical identifiers used for security only).
• Information about other individuals (non-users) processed in our datasets, including identifiers from third party data vendors or customer-provided files.
• Website/product telemetry required to secure and operate the Service.

If we process personal information solely on behalf of a customer as its processor, the customer’s privacy policy may govern. In those cases, we follow the customer’s instructions and our contract.

A. Minimal information about our authenticated users

• Technical identifiers: session ID (sid), device ID (did), cookie IDs, and similar security data.

B. Information about other individuals (non-users)

• Identifiers: names, mailing addresses, phone numbers, voter registration information, and third-party IDs.
• Vendor-supplied attributes needed to power analytics/campaign functionality.
• Limited inferences (e.g., relationship graphs or influence scoring) strictly for product features.

Sources

• Third party data vendors under license.
• Customer-provided files or integrations.

Sensitive Personal Information (SPI): Certain datasets we process, including voter file data, may contain information that could qualify as Sensitive Personal Information under applicable law (such as political affiliation).

We use Sensitive Personal Information only:

• To provide our analytics, targeting, and campaign management services;
• To maintain security and integrity;
• For purposes otherwise permitted by law.

We do not use Sensitive Personal Information to infer characteristics beyond the scope of the services described in this Policy.

California residents have the right to request that we limit the use and disclosure of Sensitive Personal Information where applicable.

Retention: We retain personal information only for as long as reasonably necessary and proportionate to achieve the purposes described above, unless a longer retention period is required by law.

Sale and Sharing for Cross-Context Behavioral Advertising

We sell and share certain personal information for cross-context behavioral advertising and analytics purposes, as those terms are defined under the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA/CPRA”). We do not knowingly collect or share personal information of minors.

“Sale” means disclosing personal information to a third party for monetary or other valuable consideration.

“Sharing” means disclosing personal information to a third party for cross-context behavioral advertising, whether or not for monetary consideration.

We may share the following categories of personal information for programmatic advertising:

• Identifiers (e.g., name, address, phone number, email)

We may sell the following information within the AI-I platform:

• Names
• Job information
• Relationship to identified principals

You have the right to opt out of the sale or sharing of your personal information. See Section 8 (Your Rights) below.

Legal bases (where GDPR/UK GDPR applies)

• Legitimate interests: operating a secure platform; linking vendor identifiers; preventing abuse.
• Contract: to provide the Service to customers and their authorized users.
• Consent: for non-essential cookies/analytics.

We honor valid Global Privacy Control (GPC) signals as a request to opt out of sale and sharing where required by law.

Essential cookies (e.g., sid, did) keep accounts secure; analytics cookies (e.g., Google Analytics) are optional and set only with your consent. We honor Global Privacy Control (GPC) by defaulting analytics off when a valid signal is present. See our Cookie Notice for cookie names, purposes, and retention.

Do Not Track Signals (CalOPPA Disclosure)

Some browsers offer a “Do Not Track” (DNT) setting. Because there is no uniform industry standard for recognizing or honoring DNT signals, we do not currently respond to browser-based DNT signals.

However, we do honor valid Global Privacy Control (GPC) signals as described above.

Third parties such as analytics providers or advertising partners may collect personal information about your online activities over time and across different websites.

• Service providers/processors (hosting, storage, security, support, email delivery, analytics).
• Legal/compliance recipients when required by law or to protect rights.
• Demand-side-platforms (DSPs) for uses of programmatic advertising.

We require service providers to use personal information only to provide services to us.

• User security identifiers/logs: typically 12–24 months for logs; sid ~30 days; did ~400 days.
• Cookie preferences & consent logs: preference cookie up to 12 months; audit logs up to 24 months.
• Vendor-sourced link data: retained only as needed; refreshed per vendor cadence then deleted/anonymized.

We may retain aggregated or de-identified data for legitimate business purposes.

NeptuneOps is a “data broker” as defined under California law.

Under the California Delete Act, California residents may submit a single deletion request through the California Privacy Protection Agency’s centralized Data Broker Requests and Opt-Out Platform (“DROP”). Once DROP processing becomes operational (currently expected to begin processing requests on or around August 1, 2026), NeptuneOps will:

• Access the DROP platform at least once every 45 days.
• Process verified deletion requests submitted through DROP.
• Direct our service providers and contractors to delete applicable personal information.
• Maintain records of compliance as required by law.

Depending on your location, you may have rights such as:

• Right to know/access what personal information we collect and use.
• Right to delete personal information (subject to legal exceptions).
• Right to correct inaccurate personal information.
• Right to obtain a portable copy of your personal information.
• Right to limit use/disclosure of Sensitive Personal Information (we do not use SPI beyond providing the Service).
• Right to not be discriminated against for exercising your rights.

Consumers may also submit requests directly to us.

How to make a request (verification required)

How to Exercise Your Rights

A. Right to Opt Out of Sale or Sharing

You may opt out of the sale or sharing of your personal information by:

• Enabling a valid Global Privacy Control (GPC) signal in your browser;
• Emailing info@neptuneops.com with the subject line “Do Not Sell or Share Request.”

B. Right to Delete (Direct Request)

You may request deletion of personal information by emailing info@neptuneops.com with the subject line “Deletion Request.”

C. California Delete Act (DROP Platform)

As a registered data broker, we process deletion requests submitted through the California Privacy Protection Agency’s Data Broker Requests and Opt-Out Platform (“DROP”). We access the DROP platform at least once every 45 days and process verified deletion requests within the timeframes required by law.

D. Right to Limit Use of Sensitive Personal Information

Where applicable, California residents may request that we limit the use and disclosure of Sensitive Personal Information to purposes permitted by law by emailing info@neptuneops.com with the subject line “Limit SPI Request.”

E. California “Shine the Light” Disclosure

Under California Civil Code Section 1798.83, California residents may request information regarding our disclosure of personal information to third parties for their direct marketing purposes.

To make such a request, please email info@neptuneops.com with the subject line “Shine the Light Request.”

If we deny a request, you may reply to appeal.

We may require reasonable verification information to process requests. We will not discriminate against you for exercising your rights.

If we cannot delete certain information due to legal, contractual, or security obligations, we will inform you consistent with applicable law.

When we process personal data we did not obtain directly from you (e.g., from a third party vendor or a customer file), this Policy serves as our Article 14 notice. Where direct notice to each individual would involve disproportionate effort, we rely on this publicly available notice and provide accessible opt-out and deletion mechanisms.

If you access the Service from outside the United States, your information may be processed in the U.S. and other countries that may not offer the same level of protection. Where required, we use appropriate safeguards (e.g., standard contractual clauses).

We use technical and organizational measures to protect personal information, including role-based access controls, secure session/device management, encryption in transit, environment hardening, monitoring, and audit logging of sensitive operations. No system is perfectly secure; we continually improve our safeguards.

The Service and our websites may link to third-party services. Their privacy practices are governed by their own policies.

We do not knowingly sell or share personal information of individuals under 16 years of age. If we become aware that we have collected personal information from an individual under 16 without appropriate authorization, we will take steps to delete such information.

We may update this Policy from time to time. The Last Updated date reflects the latest revision. If changes materially affect how we handle personal information, we will provide additional notice.

If you need this Policy in an alternative format, contact info@neptuneops.com.

Questions about this Policy or our privacy practices? Email info@neptuneops.com.