Spider Digital Group — Privacy Policy

1.1 Identity of the Controller / Business

This Privacy Policy ("Policy") describes how Spider Digital Group collects, uses, discloses, retains, secures, and otherwise processes personal information (also called "personal data") in connection with this Site and any web pages, forms, or features that link to or reference this Policy. For purposes of the EU and UK General Data Protection Regulation ("GDPR" / "UK GDPR"), the Company acts as the "controller" of the personal data processed through the Site. For purposes of U.S. state privacy laws, the Company acts as a "business" (or equivalent "controller").

The operating name of the Company is "Spider Digital Group." We do not publish a fixed legal-entity designation, street address, or jurisdiction on this Site. Where this Policy refers to our governing jurisdiction, it means "the State in which the Company is principally established"; where it refers to our address, it means "our principal place of business." To exercise any right, withdraw consent, or contact us about privacy, please use the email address listed in the Contact section of our website, and we will provide any further routing or address needed to handle your request.

1.2 Scope and What This Policy Does Not Cover

This Policy applies to personal information we collect: (a) through forms and interactive features on the Site (including our contact / lead form); (b) automatically through your use of the Site (including cookies and similar technologies); and (c) where you have consented, through third-party identity-resolution technology that attempts to identify visitors to the Site.

This Policy does NOT apply to: (a) information collected on any website, platform, or service operated by a third party, even where linked from the Site; (b) information you provide through channels other than the Site, which may be governed by separate notices or agreements; or (c) data we process solely on behalf of our clients as a service provider / processor under a separate contract, which is governed by that contract and the client's own privacy notices.

1.3 Acceptance of This Policy

By accessing or using the Site, you acknowledge that you have read and understood this Policy. Where we rely on consent (for example, for non-essential cookies, analytics, advertising, and identity resolution), that processing occurs only after you provide affirmative, opt-in consent as described in Section 5. Your use of the Site is also subject to our Terms & Conditions.

1.4 Eligibility — Adults Only

The Site is intended for, and directed solely to, users who are 18 years of age or older. It is not directed to children, and we do not knowingly collect personal information from anyone under 18. See Section 17 (Children's Privacy / COPPA).

We place this disclosure near the top of this Policy because it describes a practice you should understand fully before you consent. Subject to your prior, affirmative, opt-in consent (see Section 5), the Site may deploy third-party identity-resolution technology (also called "visitor de-anonymization" or "website visitor identification" technology). When enabled with your consent, this technology operates as described below.

2.1 What It Does

• It attempts to match website visitors against third-party identity graphs — large datasets compiled and maintained by third parties (which may include data brokers) that associate online and offline identifiers with individuals.
• Based on those matches, it may infer or resolve identity attributes about a visitor, which may include the visitor's name, business or professional email address, employer or company, job title or role, and other professional contact details.
• Critically, this technology may operate even when you have not submitted a form and have not otherwise voluntarily identified yourself to us. When enabled with your consent, it may attempt to identify you and append professional information about you based on your visit alone.
• We use it, where consented, to understand which businesses and professionals are interested in our Services, to follow up on business-to-business interest, and to measure and improve our marketing.

2.2 How We Characterize It Under the Law

So that your consent is fully informed, we are direct about the legal characterization of this practice. We treat the deployment of identity-resolution technology, and the associated receipt of inferred identity attributes from third-party data providers, as a "sale" of personal information, a "share" of personal information for cross-context behavioral advertising, "targeted advertising," and "profiling," as those terms are defined under applicable U.S. state privacy laws. We treat it under the most protective applicable standard and do not rely on hedged characterizations to avoid these labels.

• We do NOT enable identity resolution by default.
• We enable it ONLY after you affirmatively opt in by selecting the "Marketing & Identity Resolution" category (or "Accept all") in our cookie banner.
• You may decline this category, and you may withdraw your consent at any time via the "Cookie settings" link in the footer.
• We honor Global Privacy Control (GPC) as a valid opt-out of this sale, share, and targeted advertising; a GPC signal overrides any stored opt-in for the browser or device from which it is sent.
• We never knowingly apply identity-resolution technology to any individual we know or have reason to believe is under 18 (see Section 17).

2.3 Data Sourcing, Brokers, and Safeguards

The identity graphs used in this process are compiled and maintained by third-party data providers, which may be regulated as data brokers under laws such as the California Delete Act, and the data-broker registration laws of Texas, Oregon, and Vermont. We engage identity-resolution providers under contractual terms that require them to act as our service providers / processors, to handle inferred identity data only for the limited purposes described here, to represent that their underlying data was lawfully sourced, and to propagate deletion and opt-out requests to their data sources and identity graphs (including, where applicable, through state deletion mechanisms such as California's Delete Request and Opt-out Platform). To the extent SDG's own use of appended identity data could itself be characterized as data-broker activity under any applicable law, we will comply with the applicable registration and consumer-rights obligations.

We do not use identity-resolution technology to append precise geolocation. If you do not wish to be subject to identity resolution, simply do not opt in to the "Marketing & Identity Resolution" category, withdraw consent at any time via "Cookie settings," and/or transmit a Global Privacy Control signal.

We collect only the categories of information described in this Policy; we do not engage in collection practices beyond those disclosed here.

3.1 Information You Provide to Us (Contact / Lead Form)

When you choose to contact us or submit an inquiry through our contact / lead form, you may provide, and we collect:

• Name — your full name or the name you choose to give us;
• Email address — the address at which you wish to be contacted;
• Phone number (optional) — provided only if you choose to give it;
• Company / organization — the business or organization you represent;
• Message — the free-text content of your inquiry; and
• Project details, including the nature of your need, your budget range, and your timeline.

We use a third-party email-delivery provider, Resend, to transmit and deliver the contents of these submissions to us. As a result, the information you submit through the form is processed by Resend solely for the purpose of delivering your message to us (see Section 6).

3.2 Information We Collect Automatically

When you access or interact with the Site, certain information may be collected automatically through your browser, device, our infrastructure, and (where you have consented) cookies and similar technologies. This may include:

• IP address (which may be used to derive an approximate, non-precise location, such as city or region; we do not collect precise GPS geolocation);
• Device and browser data, such as device type, operating system, browser type and version, language settings, and screen or viewport characteristics;
• Usage data, such as the pages and content you view, the date and time of your visits (timestamps), the duration and sequence of page views, and interactions with Site features;
• Referrer information, such as the website or source from which you navigated to the Site; and
• Marketing-attribution identifiers, including UTM parameters (e.g., utm_source, utm_medium, utm_campaign), gclid (Google click identifier), and fbclid (Meta/Facebook click identifier), which may be stored in your browser (for example, in cookies or local storage) to attribute and measure marketing performance.

Strictly necessary processing (for example, basic server logs needed for security, fraud prevention, and the technical delivery of the Site) may occur regardless of your cookie choices, as permitted by law. All non-essential automatic collection — including analytics and advertising technologies — occurs only after you provide opt-in consent.

3.3 Information Obtained Through Identity Resolution

As described fully in Section 2, where you have opted in, we may obtain inferred identity attributes about you (such as name, business email, employer, job title, and professional contact details) from third-party identity-resolution providers and identity graphs, even if you have not submitted a form.

3.4 Categories of Sources

We collect personal information from: (a) you directly; (b) automatically from your device and browser through cookies and similar technologies; (c) third-party identity-resolution providers and identity graphs (where you have consented, as described in Section 2); and (d) our analytics, advertising, hosting, and email service providers (Google, Meta, Vercel, and Resend).

3.5 Sensitive Personal Information and "Do Not Send Us Sensitive Information"

We do not seek to collect "sensitive personal information" (as defined under the California Privacy Rights Act and analogous state laws) or "special category data" (as defined under the GDPR and UK GDPR), and we do not use personal information to infer characteristics about you beyond the professional attributes described in Section 2. Please do NOT send us, through the form or otherwise, any sensitive personal information — including government identifiers (e.g., Social Security, driver's-license, or passport numbers), financial-account or payment-card numbers, account credentials, health or medical information, biometric or genetic data, precise geolocation, racial or ethnic origin, religious or philosophical beliefs, political opinions, trade-union membership, sex life or sexual orientation, immigration status, or information about minors. If you nonetheless choose to submit such information, you do so voluntarily and at your own risk, and you consent to our processing it solely as necessary to respond to your inquiry and to its deletion in the ordinary course.

We use personal information for the purposes set out below. Where the GDPR or UK GDPR applies, the legal basis we rely on is indicated in brackets: [Consent], [Legitimate Interests], [Contract] (performance of a contract or steps prior to a contract at your request), or [Legal Obligation].

• To respond to your inquiries and communicate with you — to receive, review, and respond to messages submitted through the contact / lead form, including discussing your project, need, budget, and timeline. [Contract / Legitimate Interests]
• To evaluate and pursue potential business relationships — to assess project fit, prepare proposals, and manage business-development activities. [Legitimate Interests / Contract]
• To operate, maintain, secure, and improve the Site — including ensuring technical functionality, availability, integrity, and security; preventing and detecting fraud, abuse, and unauthorized access; and diagnosing technical problems. [Legitimate Interests / Legal Obligation]
• To measure and understand Site usage (analytics) — to understand how visitors find and use the Site and to improve content and design. [Consent]
• For marketing, advertising, and attribution — to measure marketing performance using attribution identifiers (UTM, gclid, fbclid), to deliver and measure advertising (including retargeting), and to build and use custom and lookalike audiences. [Consent]
• For identity resolution / visitor de-anonymization — where you have opted in, to attempt to identify visitors and append professional contact information for business-development and marketing outreach, as described in Section 2. [Consent]
• To send commercial or marketing communications — where permitted, subject to your right to opt out at any time. We do not send autodialed, prerecorded, or SMS/text marketing unless you have separately and specifically opted in (see Section 18). [Consent / Legitimate Interests]
• To comply with legal obligations and enforce our rights — to comply with applicable laws and legal process; to establish, exercise, or defend legal claims; and to enforce our Terms & Conditions. [Legal Obligation / Legitimate Interests]
• For corporate transactions — to evaluate, negotiate, or complete a merger, acquisition, financing, reorganization, sale of assets, or similar transaction, subject to the safeguards in Section 6. [Legitimate Interests]

4.1 Legitimate-Interests Balancing

Where we rely on legitimate interests, we have conducted a balancing assessment: (a) our interests include operating and securing the Site, responding to and developing business relationships, and measuring our marketing; (b) the processing is necessary for those interests and we use the least-intrusive practical means, including by gating non-essential tracking behind opt-in consent; (c) we considered the impact on you and concluded that the strictly-necessary and security processing involves limited data and aligns with your reasonable expectations; and (d) we provide safeguards including transparency, consent gating for higher-impact processing, data minimization, retention limits, and an unconditional right to object. We do NOT rely on legitimate interests for identity resolution, advertising tracking, or other non-essential tracking — those are consent-based. You may request more information about our balancing assessment using the contact details in Section 18.

4.2 Automated Decision-Making and Profiling

We do not make decisions that produce legal or similarly significant effects about you based solely on automated processing, including profiling, without meaningful human involvement. To the extent identity resolution and audience-building involve profiling, we describe it in Sections 2 and 19, conduct it only with your consent, and you may opt out as described in Sections 5 and 19. Where applicable, we maintain data-protection / profiling risk assessments for processing involving targeted advertising, profiling, or sensitive data, consistent with the requirements of the CPRA's automated-decision-making and profiling regulations and analogous state laws.

5.1 Our Opt-In Model

We use cookies and similar technologies (such as pixels, tags, local storage, and software development kits) to operate the Site and — only with your consent — to perform analytics, advertising, and identity resolution. Our model is opt-in. Non-essential cookies and ALL tracking technologies — including Google Analytics, the Meta Pixel, and identity-resolution technology — are disabled by default and activate only after you affirmatively click "Accept" (or otherwise enable the relevant category) in our cookie banner. If you decline, ignore, or close the banner, nothing non-essential loads or records. Closing or dismissing the banner is treated as a rejection of all non-essential categories. No analytics, advertising, or identity-resolution technology will run, and no associated identifiers will be set or read, unless and until you have given affirmative consent. We maintain a record of your consent choices (including the categories selected and the time of your choice) so that we can evidence and honor them.

5.2 Granular Consent Categories and Symmetric Choice

Our cookie banner and preference center offer the following granular categories, and you may Accept all, Reject all, or Customize your choices per category. The "Accept all" and "Reject all" choices are presented with equal prominence, in keeping with applicable dark-pattern and consent-symmetry requirements:

• Strictly Necessary (always on). Essential to deliver the Site, maintain security, remember your consent choices, and provide core functionality. They cannot be switched off through our banner and do not require consent under applicable law.
• Analytics (off by default). Enables analytics technologies (including Google Analytics) to help us understand and improve Site usage. Loads only with your opt-in.
• Marketing & Identity Resolution (off by default). Enables advertising and retargeting technologies (including the Meta Pixel, custom and lookalike audiences) and third-party identity-resolution / visitor de-anonymization as described in Section 2. Loads only with your opt-in.

Vercel Web Analytics and Speed Insights are privacy-friendly, aggregate, and designed not to use this category of cookies to identify individuals; their treatment is described in Section 6.

5.3 Withdrawing or Changing Your Consent

Your consent is withdrawable and changeable at any time. You may revisit and update your choices — including withdrawing previously granted consent — by clicking the "Cookie settings" link in the footer of the Site. Withdrawing consent stops the relevant processing going forward; it does not affect the lawfulness of processing carried out before withdrawal. You may also control cookies through your browser settings, though doing so may affect Site functionality.

5.4 Global Privacy Control (GPC) and Do Not Track (DNT)

We honor the Global Privacy Control (GPC) signal. Where your browser or a browser extension transmits GPC, we treat it as a valid opt-out of the "sale" and "sharing" of personal information and of targeted advertising to the extent required by applicable law, and we apply it to the browser or device from which it is sent. GPC always overrides a previously stored opt-in for that browser or device. Because GPC is browser- or device-specific, you may need to enable it on each browser and device you use. Separately, some browsers offer a "Do Not Track" (DNT) setting; because there is no consistent industry or legal standard for responding to DNT, we disclose that we do not separately act on DNT signals beyond honoring GPC and the controls described above.

We do not exchange personal information for monetary payment in the conventional sense. However, because certain of our advertising and identity-resolution activities may constitute a "sale" or "share" under applicable U.S. state laws, we describe those activities transparently throughout this Policy and provide opt-in and opt-out controls accordingly. We disclose personal information only as described below.

6.1 Categories of Recipients

• Service providers, processors, and sub-processors that perform functions on our behalf under contractual confidentiality and data-protection obligations — including hosting, email delivery, analytics, advertising, and identity-resolution providers (see Section 6.2). Our analytics, advertising, and identity-resolution providers are engaged as our service providers / processors so that they act on our behalf rather than as independent third-party recipients.
• Advertising and marketing partners — where you have opted in, to deliver, measure, and optimize advertising, including building custom and lookalike audiences (e.g., Meta).
• Third-party identity-resolution providers and their identity-graph data sources — where you have opted in, in connection with the activity described in Section 2.
• Professional advisors — such as lawyers, accountants, auditors, and insurers, where reasonably necessary and subject to confidentiality.
• Legal, regulatory, and governmental authorities — where required by law, legal process, or governmental request, or to establish, exercise, or defend legal claims, protect rights, property, or safety, and enforce our agreements.
• Parties to a corporate transaction — in connection with a merger, acquisition, financing, reorganization, sale of assets, bankruptcy, or similar transaction, subject to confidentiality protections and the continued application of this Policy or a successor notice.

We do not otherwise disclose your personal information to third parties for their own independent purposes without your consent, except as described in this Policy.

6.2 Key Sub-Processors and Third-Party Services

• Vercel — hosting, deployment, and infrastructure (including server processing in the United States), plus Vercel Web Analytics and Speed Insights, which provide privacy-friendly, aggregate metrics designed not to identify individuals and not to require advertising cookies.
• Resend — transactional email delivery, used to transmit the contents of contact / lead form submissions to us.
• Google — analytics via Google Analytics (loaded only with your opt-in to the Analytics category).
• Meta (Facebook/Instagram) — advertising and retargeting via the Meta Pixel, including custom and lookalike audiences (loaded only with your opt-in to the Marketing & Identity Resolution category).
• Third-party identity-resolution provider(s) and their associated identity-graph data sources — used only with your opt-in to perform the activity described in Section 2.

Each provider processes personal information under its own privacy and security commitments and, where applicable, under data-processing agreements with us. We may update our sub-processors from time to time; the most current description of our practices is reflected in this Policy as updated under Section 20.

The following summarizes, by statutory category, the personal information we have collected, disclosed for a business purpose, and (only where you affirmatively opt in to advertising and/or identity resolution) "sold" or "shared." This summary supplements the narrative in Sections 3 and 6 and supports the Notice at Collection in Section 9.

• Identifiers (name, email, phone, IP address, online identifiers, attribution IDs): Collected — Yes; Disclosed for a business purpose — Yes; Sold/Shared — only with your opt-in (advertising / identity resolution).
• Customer records / commercial inquiry data (company, message, project details): Collected — Yes; Disclosed — Yes; Sold/Shared — only with your opt-in (identity resolution).
• Internet or other electronic network activity (pages viewed, referrer, usage): Collected — Yes; Disclosed — Yes; Sold/Shared — only with your opt-in (advertising).
• Geolocation data (coarse / approximate, derived from IP; not precise): Collected — Yes; Disclosed — Yes; Sold/Shared — only with your opt-in.
• Professional or employment-related information (inferred via identity resolution): Collected — only with your opt-in; Disclosed — Yes; Sold/Shared — only with your opt-in.
• Inferences drawn to create a profile (interests, business intent): Collected — only with your opt-in; Disclosed — Yes; Sold/Shared — only with your opt-in.
• Sensitive personal information: We do not knowingly collect, disclose, sell, or share sensitive personal information, and we do not use it to infer characteristics. We ask that you not submit sensitive information (see Section 3.5).

This Section applies if you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, and supplements the rest of this Policy. The controller is Spider Digital Group, contactable at the email address listed in the Contact section of our website.

8.1 Legal Bases

We process personal data only where we have a lawful basis under Article 6: Consent (Art. 6(1)(a)) for non-essential cookies and all non-essential tracking, including Google Analytics, the Meta Pixel, and identity resolution; Performance of a contract / pre-contractual steps (Art. 6(1)(b)) to respond to your inquiry and prepare proposals; Legitimate interests (Art. 6(1)(f)) to operate, secure, and improve the Site, maintain server logs and security, respond to business inquiries, and pursue reasonable business-development interests, subject to the balancing in Section 4.1; and Legal obligation (Art. 6(1)(c)) to comply with applicable law. We do not rely on legitimate interests for identity resolution or advertising tracking, which require consent.

8.2 Your Rights as a Data Subject

Subject to applicable law, you have the right to:

• Access your personal data and obtain a copy;
• Rectification of inaccurate or incomplete data;
• Erasure ("right to be forgotten");
• Restriction of processing;
• Data portability — to receive your data in a structured, commonly used, machine-readable format and to have it transmitted to another controller where technically feasible;
• Object to processing based on legitimate interests, and at any time and absolutely to object to processing for direct-marketing purposes (including related profiling);
• Withdraw consent at any time; and
• Not be subject to a decision based solely on automated processing, including profiling, that produces legal or similarly significant effects (see Section 19).

To exercise these rights, contact us at the email address listed in the Contact section of our website. We will respond within the timeframes required by law (generally one month under the GDPR/UK GDPR, extendable for complex requests).

8.3 International Data Transfers

We are based outside the EEA/UK, and our service providers (including Vercel, Resend, Google, and Meta) may process personal data in the United States and other countries that may not provide the same level of data protection as your jurisdiction. Where we transfer personal data out of the EEA, UK, or Switzerland, we implement appropriate safeguards, which may include the European Commission's Standard Contractual Clauses (SCCs), the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the SCCs, the Swiss addendum, reliance on adequacy decisions where applicable, and supplementary technical and organizational measures. You may request information about these safeguards by contacting us.

8.4 EU/UK Representative and Data Protection Officer

Where required, our EU Representative (Art. 27 GDPR) and UK Representative (Art. 27 UK GDPR), and any appointed Data Protection Officer, are identified through the contact details we maintain for that purpose; until any such representative or officer is designated and published, you may direct all data-protection inquiries to the email address listed in the Contact section of our website, and we will route them appropriately.

8.5 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority — in the EU, in the Member State of your habitual residence, place of work, or place of the alleged infringement; in the UK, with the Information Commissioner's Office (ICO) at ico.org.uk; and in Switzerland, with the Federal Data Protection and Information Commissioner (FDPIC). We would appreciate the opportunity to address your concerns first, so please consider contacting us before approaching a supervisory authority.

This Section applies to California residents and supplements the rest of this Policy, as required by the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, the "CCPA").

9.1 Notice at Collection

At or before the point of collection, we collect the categories of personal information described in Section 3 and summarized in Section 7, for the purposes described in Section 4, retained as described in Section 15. We "sell" or "share" certain categories only where you affirmatively opt in to advertising and/or identity resolution. We do not use or disclose sensitive personal information for purposes beyond those permitted under the CCPA, and we do not "sell" or "share" sensitive personal information.

9.2 Your CCPA Rights

• Know / Access — request the categories and specific pieces of personal information we have collected, the categories of sources, the business or commercial purposes, and the categories of third parties to whom we disclose it;
• Delete — request deletion of personal information we collected from you, subject to legal exceptions;
• Correct — request correction of inaccurate personal information;
• Opt Out of Sale / Sharing — direct us not to "sell" or "share" your personal information for cross-context behavioral advertising;
• Limit Use of Sensitive Personal Information — direct us to limit use of sensitive PI to permitted purposes (we do not use sensitive PI beyond permitted purposes); and
• Non-Discrimination — not receive discriminatory treatment for exercising your rights.

9.3 How to Exercise Your Rights; Opt-Out and Limit Mechanisms

You may exercise these rights by: (a) using the "Do Not Sell or Share My Personal Information" and "Limit the Use of My Sensitive Personal Information" links and the "Cookie settings" link in our footer to opt out of the Analytics and Marketing & Identity Resolution categories; (b) enabling Global Privacy Control (GPC), which we honor as a valid opt-out of sale/sharing and targeted advertising; or (c) contacting us at the email address listed in the Contact section of our website.

9.4 Verification, Authorized Agents, and Non-Discrimination

We will take reasonable steps to verify your identity before responding to a know, delete, or correct request, which may involve matching information you provide against information we hold. You may use an authorized agent to submit a request; we may require proof of written authorization and may require you to verify your identity directly with us. We will not discriminate against you for exercising any CCPA right, and we do not offer financial incentives in exchange for personal information.

9.5 "Shine the Light" (Cal. Civ. Code § 1798.83)

California residents may request information about our disclosure of personal information to third parties for those third parties' own direct-marketing purposes. We do not disclose personal information to third parties for their own direct-marketing purposes. You may direct Shine the Light inquiries to the email address listed in the Contact section of our website.

If you are a Texas resident, you have the rights to: confirm whether we process your personal data and access it; correct inaccuracies; delete personal data; obtain a portable copy; and opt out of (i) the sale of personal data, (ii) targeted advertising, and (iii) profiling in furtherance of decisions producing legal or similarly significant effects. We provide these opt-outs via the cookie banner, the footer opt-out and "Cookie settings" links, and recognition of Global Privacy Control as a universal opt-out mechanism. Texas-specific notice: where you have opted in, we may disclose your personal data to identity-resolution and advertising partners, which may constitute a sale of personal data and processing for targeted advertising. You may appeal a denial of your request as described in Section 14.4.

If you are a resident of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Oregon (OCPA), Montana (MCDPA), Delaware (DPDPA), Iowa (ICDPA), or another state with a comprehensive consumer-privacy law (including, as they take effect, Tennessee, Indiana, Florida, Nebraska, New Hampshire, New Jersey, Minnesota, Maryland, Kentucky, Rhode Island, and others), you have, to the extent and as provided by your state's law, the rights to:

• Confirm and access the personal data we process about you;
• Correct inaccuracies;
• Delete personal data;
• Obtain a portable copy of personal data you provided to us;
• Opt out of (i) the sale of personal data, (ii) targeted advertising, and (iii) profiling in furtherance of decisions that produce legal or similarly significant effects; and
• Where applicable, opt in before processing of sensitive data (we do not knowingly process sensitive data).

11.1 Universal Opt-Out Mechanism

We recognize Global Privacy Control (GPC) as a universal opt-out mechanism for sale, sharing, and targeted advertising, consistent with the requirements of Colorado, Connecticut, Oregon, Montana, Delaware, Texas, and other states that mandate or recognize such mechanisms. You may also use our cookie banner and the footer opt-out and "Cookie settings" links.

11.2 Consent for Identity Resolution and Targeted Advertising

Because our identity-resolution and advertising features are off by default and load only after opt-in, processing for sale, sharing, targeted advertising, and profiling occurs only with your consent. Right-to-appeal procedures are described in Section 14.4.

Some U.S. states require the consent of all parties to record or intercept certain electronic communications, and some plaintiffs have applied wiretap, pen-register, and trap-and-trace theories to website analytics and tracking technologies. To the extent the California Invasion of Privacy Act (CIPA), including its pen-register and trap-and-trace provisions, or any analogous state wiretap or all-party-consent law applies to analytics, performance measurement, session activity, or communications on or through the Site, the following consent applies.

By accepting the Analytics and/or Marketing & Identity Resolution categories in our cookie banner and continuing to use the Site, you expressly consent to the collection, recording, monitoring, processing, replay, and analysis of your interactions with the Site — including page activity, clicks, navigation, session and performance data, IP address, device and communication identifiers, and any dialing, routing, addressing, or signaling information, as well as the contents of electronic communications you transmit to us through the Site — by us and by our analytics, advertising, and identity-resolution service providers acting on our behalf and as our agents, for the purposes described in this Policy. This consent constitutes your prior, express, all-party consent to any such collection, recording, or interception, and your authorization for the use of any device-, communication-, or signaling-identifying process. Strictly necessary and security-related logging is processed regardless of consent as permitted by law. If you do not consent, do not accept these categories, enable GPC, or refrain from using the Site.

13.1 Biometric Information (BIPA and Similar Laws)

We do not collect, capture, purchase, receive, store, use, or disclose biometric identifiers or biometric information (such as fingerprints, voiceprints, retina/iris scans, faceprints, or scans of hand or face geometry) as defined under the Illinois Biometric Information Privacy Act (BIPA) or analogous laws (e.g., Texas CUBI, Washington's biometric statute). We do not use facial recognition, camera input, or similar biometric technologies on the Site. Please do not submit biometric data to us.

13.2 Video Privacy (VPPA)

We do not knowingly operate as a "video tape service provider" or knowingly collect or disclose "personally identifiable information" relating to your request for or obtaining of specific video materials in a manner governed by the Video Privacy Protection Act (VPPA). To the extent any audiovisual content is presented on the Site, advertising and analytics technologies (such as the Meta Pixel) operate on pages containing such content only after, and subject to, the opt-in consent model in Section 5, and we do not knowingly disclose your video-viewing information in a manner prohibited by the VPPA. Where applicable, your acceptance of the Marketing category constitutes your informed, written consent to such disclosure for the limited purposes described in this Policy; you do not consent to any disclosure beyond what this Policy describes.

13.3 Commercial Email (CAN-SPAM)

If we send you commercial email, we will comply with the CAN-SPAM Act and applicable law, including by using accurate header and subject-line information, identifying the message as an advertisement where required, including a valid physical postal address (our principal place of business), and providing a clear and conspicuous unsubscribe mechanism. We will honor opt-out requests promptly (generally within 10 business days). You may opt out at any time using the unsubscribe link in the email or by contacting us at the email address listed in the Contact section of our website. Transactional or relationship messages (such as responses to your inquiry) are not subject to opt-out.

13.4 Telephone and Text Communications (TCPA)

We do not send automated telemarketing calls or marketing text (SMS/MMS) messages, and we do not use an automatic telephone dialing system or a prerecorded or artificial voice for marketing, unless you have separately and expressly opted in. Providing your phone number on our contact form authorizes us to contact you about your inquiry only; it does not enroll you in any automated or marketing text or call program. Consistent with the Telephone Consumer Protection Act (TCPA) and related rules, any marketing calls or texts would require your prior express written consent, which is not a condition of any service, and you may revoke consent at any time. Message and data rates may apply to any texts you exchange with us.

14.1 How to Submit a Request

To exercise any privacy right under any applicable law, submit a request to the email address listed in the Contact section of our website, or use the footer opt-out and "Cookie settings" links for opt-out and consent changes.

14.2 Verification

To protect your privacy and security, we will take reasonable steps to verify your identity before fulfilling a substantive request (such as access, deletion, correction, or know). Verification may require you to confirm information we already maintain about you (for example, the email address used to contact us). We will not use information collected for verification for any unrelated purpose, and we may decline a request where we cannot reasonably verify identity, as permitted by law.

14.3 Timing and Authorized Agents

We will respond within the timeframes required by applicable law (generally 45 days under U.S. state laws, with permitted extensions; generally one month under the GDPR/UK GDPR). You may use an authorized agent where the law permits, subject to proof of authorization and, where required, your own verification.

14.4 Right to Appeal

If we decline to act on your request, you may appeal by replying to our response or contacting us at the email address listed in the Contact section of our website with the subject "Privacy Appeal." We will respond to your appeal within the period required by applicable law (generally 45–60 days). If your appeal is denied, you may, depending on your state, contact your state Attorney General or relevant regulator (for example, in California, the California Privacy Protection Agency or the Attorney General; in other states, the respective Attorney General) to submit a complaint.

We retain personal information only for as long as necessary to fulfill the purposes for which it was collected, including to satisfy legal, accounting, or reporting requirements, and to establish, exercise, or defend legal claims. Our general retention guidelines are:

• Contact / lead form submissions (name, email, phone, company, message, project details): for the duration of our communications and any resulting relationship, plus a reasonable period thereafter for business-development and recordkeeping (generally up to 24–36 months after last contact), unless a longer period is required by law or you request deletion sooner.
• Email delivery logs (via Resend): for the limited period our email provider retains transactional logs, then deleted or anonymized.
• Analytics data (Google Analytics; Vercel aggregate analytics): per the configured retention settings of the analytics tool (typically 14 months or less for Google Analytics), in aggregate or pseudonymized form.
• Cookie / consent records: for the period necessary to evidence your consent choices and as required by law.
• Advertising / identity-resolution data: for the period determined by the relevant provider and our needs, and only while you maintain consent; deleted or suppressed upon withdrawal of consent or opt-out.
• Security and server logs: for a limited period necessary for security, fraud prevention, and reliability.

When personal information is no longer needed, we will delete, de-identify, or anonymize it, or securely isolate it from further processing, in accordance with our retention practices and applicable law.

16.1 Security

We implement technical and organizational measures designed to protect personal information against unauthorized or unlawful access, use, alteration, disclosure, loss, or destruction. These measures are designed to include encryption of data in transit, access controls aligned with least-privilege principles, use of reputable infrastructure and processors (such as Vercel and Resend), logging and monitoring, and limiting the collection of personal information to what is necessary. No method of transmission over the Internet or method of electronic storage is completely secure, and we cannot guarantee absolute security. You are responsible for maintaining the security of any device and connection you use to access the Site and for not transmitting sensitive information to us (see Section 3.5).

16.2 Breach Notification

In the event of a personal-data breach that triggers notification obligations under applicable law, we are committed to: (a) assessing the breach without undue delay; (b) notifying the relevant supervisory authority and/or other regulators within the timeframes required by law (for example, where feasible and where the breach is likely to result in a risk to individuals, consistent with the GDPR/UK GDPR's framework); and (c) notifying affected individuals where required by applicable law (including U.S. state breach-notification statutes), describing the nature of the breach and the steps we are taking. We will cooperate with authorities as required.

The Site is intended for users who are 18 years of age or older, and is not directed to children. We do not knowingly collect, use, sell, or share personal information from anyone under 18, and we do not knowingly apply identity-resolution technology to anyone we know or have reason to believe is a minor. Consistent with the Children's Online Privacy Protection Act (COPPA), we do not knowingly collect personal information from children under 13, and we do not knowingly direct any content or feature to them.

We state eligibility here and in our Terms rather than presenting an age-gate modal. If you are under 18, please do not use the Site or submit any information to us. If you are a parent or guardian and believe a child under 18 may have provided us personal information, contact us at the email address listed in the Contact section of our website, and we will take reasonable steps to delete it.

We do not make decisions that produce legal or similarly significant effects about you based solely on automated processing, including profiling, without meaningful human involvement. Where you opt in to identity resolution and advertising, we (and our service providers) may engage in profiling for marketing and audience purposes (for example, inferring business interest and building audiences). This profiling does not produce legal or similarly significant effects about you and is conducted only with your consent.

You have the right to opt out of profiling in furtherance of decisions that produce legal or similarly significant effects (to the extent any such profiling were to occur) and to opt out of profiling for targeted advertising, by declining the relevant cookie categories, enabling GPC, or using the "Cookie settings" link. EEA/UK data subjects also have the rights described in Section 8.2. Where applicable, we maintain risk or data-protection assessments for processing involving targeted advertising, profiling, and sensitive data.

Spider Digital Group is committed to digital accessibility and to making the Site usable by the widest possible audience, including people with disabilities. We work to improve accessibility with reference to the Web Content Accessibility Guidelines (WCAG) and consistent with the principles of the Americans with Disabilities Act (ADA) and applicable accessibility laws. Accessibility is an ongoing effort, and some portions of the Site — including interactive, animated, or three-dimensional content — may not yet fully conform.

If you encounter any accessibility barrier, or need assistance or an alternative means of access, please contact us at the email address listed in the Contact section of our website, describing the issue and the page involved. We welcome your feedback and will make reasonable efforts to address accessibility concerns and to provide the information or functionality you need through an alternative method where feasible.

20.1 Third-Party Links and Services

The Site may contain links to, or integrations with, third-party websites, platforms, or services (including those of Google, Meta, Vercel, Resend, and our identity-resolution providers) that we do not own or control. This Policy does not apply to those third parties, and we are not responsible for their content, privacy practices, or security. We encourage you to review the privacy policies of any third party before providing your information to it.

20.2 Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will revise the "Last Updated" date above and, where required by law, provide additional notice (such as a notice on the Site). Changes are effective when posted unless otherwise stated. Your continued use of the Site after the effective date of any change constitutes your acceptance of the updated Policy, to the extent permitted by law. We encourage you to review this Policy periodically.

20.3 Contact Us

If you have questions, requests, or concerns about this Privacy Policy or our data practices — including to exercise any privacy right, withdraw consent, or submit a complaint or appeal — please contact us at the email address listed in the Contact section of our website. For data-protection inquiries under the GDPR/UK GDPR, you may also contact our EU/UK representative once designated (see Section 8.4), and you retain the right to lodge a complaint with your supervisory authority (see Section 8.5).

This Privacy Policy is provided for general informational purposes and does not constitute legal advice. Spider Digital Group reserves all rights, defenses, and protections available under applicable law.