Privacy & Data Policy

NeptuneOps is a California-based analytics and campaign management platform.

Role by context

• Controller/Business: For vendor-sourced and platform-generated datasets we host to power product features (e.g., L2 identifiers linked to entities).
• Processor/Service Provider: For customer-uploaded data and processing performed strictly under a customer’s documented instructions.

• Minimal account data for authenticated users (technical identifiers used for security only).
• Information about other individuals (non-users) processed in our datasets, including identifiers from L2 or customer-provided files.
• Website/product telemetry required to secure and operate the Service.

If we process personal information solely on behalf of a customer as its processor, the customer’s privacy policy may govern. In those cases, we follow the customer’s instructions and our contract.

A. Minimal information about our authenticated users

• Technical identifiers: session ID (sid), device ID (did), cookie IDs, and similar security data.
• SSO basics (if enabled): name and work email only to provision access; we do not profile or market to you.

B. Information about other individuals (non-users)

• Identifiers: names, mailing addresses, third-party IDs such as LALCONSUMERID and LALVOTERID.
• Vendor-supplied attributes needed to power analytics/campaign functionality.
• Limited inferences (e.g., relationship graphs or influence scoring) strictly for product features.

Sources

• Third-party data vendors (e.g., L2) under license.
• Customer-provided files or integrations.
• Product operation (e.g., linkage tables created when analysts confirm matches).

Sensitive Personal Information (SPI): We do not seek to collect SPI. If vendor datasets incidentally include attributes that may be considered sensitive, we use them only to provide the Service, apply access controls, and do not use SPI to infer characteristics beyond the scope described here.

• Operate and secure the Service (authentication, session/device security, fraud prevention).
• Link and manage vendor IDs (e.g., storing L2 IDs on entity records).
• Analytics and product improvement (only with consent for optional analytics cookies).
• Customer-authorized outputs (reports/exports consistent with instructions).
• Legal compliance and enforcement.

Legal bases (where GDPR/UK GDPR applies)

• Legitimate interests: operating a secure platform; linking vendor identifiers; preventing abuse.
• Contract: to provide the Service to customers and their authorized users.
• Consent: for non-essential cookies/analytics.

No sale/share: We do not sell personal information or share it for cross-context behavioral advertising. If this changes, we will update this Policy and provide required opt-out links.

Essential cookies (e.g., sid, did) keep accounts secure; analytics cookies (e.g., Google Analytics) are optional and set only with your consent. We honor Global Privacy Control (GPC) by defaulting analytics off when a valid signal is present. See our Cookie Notice for cookie names, purposes, and retention.

• Service providers/processors (hosting, storage, security, support, email delivery, analytics).
• Third-party data vendors (e.g., L2) to enrich/refresh records and validate links.
• Affiliates (if any) and professional advisors under confidentiality.
• Legal/compliance recipients when required by law or to protect rights.
• Corporate transactions (e.g., merger or acquisition) as permitted by law.

We require service providers to use personal information only to provide services to us.

• User security identifiers/logs: typically 12–24 months for logs; sid ~30 days; did ~400 days.
• Cookie preferences & consent logs: preference cookie up to 12 months; audit logs up to 24 months.
• Vendor-sourced link data: retained only as needed; refreshed per vendor cadence then deleted/anonymized.

We may retain aggregated or de-identified data for legitimate business purposes.

Depending on your location, you may have the right to access, correct, delete, receive a copy (portability), object to/restrict processing, and limit the use/disclosure of Sensitive information. These rights apply to any individual whose personal information we process.

How to make a request (verification required)

Email catarina@neptuneops.com with subject “Data Request” and include your full name, phone number, and mailing address. We use this information only to verify identity, locate records, and respond. Authorized agents may act on your behalf; we may request proof and additional verification. We keep a record of requests as required by law.

Vendor-sourced records (L2)

• We will delete or suppress your record in our systems to the extent permitted by law and contract.
• Where appropriate, we will forward your request to the vendor or provide instructions for contacting them.

We do not discriminate against you for exercising your rights. We honor GPC signals (analytics off). We do not currently respond to non-standard Do Not Track signals. If we deny a request, you may reply to appeal.

When we process personal data we did not obtain directly from you (e.g., from L2 or a customer file), this Policy serves as our Article 14 notice. Where direct notice to each individual would involve disproportionate effort, we rely on this publicly available notice and provide accessible opt-out and deletion mechanisms.

If you access the Service from outside the United States, your information may be processed in the U.S. and other countries that may not offer the same level of protection. Where required, we use appropriate safeguards (e.g., standard contractual clauses).

We use technical and organizational measures to protect personal information, including role-based access controls, secure session/device management, encryption in transit, environment hardening, monitoring, and audit logging of sensitive operations. No system is perfectly secure; we continually improve our safeguards.

The Service and our websites may link to third-party services. Their privacy practices are governed by their own policies.

The Service is not directed to children under 13, and we do not knowingly collect personal information from them.

We may update this Policy from time to time. The Last Updated date reflects the latest revision. If changes materially affect how we handle personal information, we will provide additional notice.

If you need this Policy in an alternative format, contact catarina@neptuneops.com.

Questions about this Policy or our privacy practices? Email catarina@neptuneops.com.