(Product-Accurate Policies · CCPA/CPRA & State Compliance · Data Mapping · DPAs & Security · User Rights · AI & Synthetic Media)
Policies that match reality — and pass review
Privacy is credible only when your disclosures, your contracts, and your build tell the same story. We align all three so customers, platforms, and regulators see a consistent picture.
Where teams get exposed
Terms and privacy say one thing while the product does another.
There is no clear map of what data is collected, why, and where it goes.
DPAs and security addenda do not reflect actual controls or certifications.
Opt-outs, deletion, and incident response are undefined or manual.
CCPA/CPRA “sale” or “share” is triggered by ad-tech signals without the right notices or contracts.
How we align product and paper
Product-accurate policies
We write Terms of Service and a Privacy Policy that describe the build you are actually shipping, including data categories, purposes, retention, and cross-context advertising disclosures where applicable.
CCPA/CPRA & state compliance
We implement “Do Not Sell or Share” flows, Global Privacy Control (GPC) honoring, Notice at Collection, sensitive data handling, and consumer rights intake. We map roles and contracts (business, service provider, contractor) and address VCDPA/CPA/CTDPA alignment.
Data mapping
We inventory data elements, purposes, processors, storage locations, and retention periods, and we assign owners so the map is usable by product and compliance teams.
DPAs & security
We align addenda with your real controls and certifications and prepare vendor risk reviews you can defend to enterprise customers and platforms.
User rights & incidents
We implement deletion, access, and opt-out mechanics, and we build an incident response plan your team can actually run, including regulator and customer communications.
Ad-tech signals & AI
We address pixel/SDK tags, “sale/share” classifications, IAB U.S. Privacy/GPP strings, and contractual limits on model training and synthetic media, with disclosures for generated content when required.
Packages
CCPA Readiness
Notice at Collection, “Do Not Sell or Share” UI, GPC honoring, rights intake, service provider/contractor terms, and Privacy Policy updates.
Enterprise Ready
Customer-facing security addendum, vendor review kit, and an incident playbook aligned to your actual controls and certifications.
Privacy & AI Basics
Product-accurate Terms and Privacy, a practical data map, and a standard DPA set you can reuse across vendors and customers.
Custom
A scoped set of policies, reviews, and trainings tied to your ad-tech footprint, release cycles, and target customers.
Process
We review features with engineering and growth teams, including tags/SDKs and signal sharing, so the paper reflects the product you plan to ship.
We draft policies and contracts tied to real data flows and determine CCPA/CPRA roles (business vs. service provider/contractor) across partners.
We implement rights mechanics, “Do Not Sell or Share” and GPC, complete vendor reviews, and finalize DPAs and security terms.
We schedule quarterly updates so disclosures and state-law positions stay accurate as features and partners change.
FAQ
Do pixels or SDKs count as a “sale” or “share” under CCPA/CPRA?
They can. Passing ad-tech identifiers or cross-context signals to third parties for targeted advertising can be a “sale” or “share.” We structure agreements and UI so users can opt out and GPC signals are honored.
What is the difference between a service provider and a contractor in CPRA terms?
Both process personal information for your business, but contract terms differ. We draft the right restrictions and audit rights so partners do not become third parties that trigger “sale/share.”
How do we implement “Do Not Sell or Share” and Global Privacy Control (GPC)?
We add a clear link and preference center, wire consent strings, and detect GPC signals to automatically apply opt-outs. We also document the logic for audits and platform review.
Do we need consent banners in the U.S., or are opt-outs enough?
For CCPA/CPRA, opt-out of sale/share and GPC honoring are key. Some state laws and platform policies may require additional notices or specific consent for sensitive data. We calibrate to your footprint.
What should our Notice at Collection include?
Data categories, purposes, retention periods, whether you “sell” or “share,” links to rights and opt-outs, and sensitive data disclosures where applicable. We build a concise, reusable notice pattern.
How do we handle vendor DPAs when their security posture is lighter than ours?
We standardize positions, add required controls and certifications where feasible, and create fallback language. We also maintain a vendor risk log that procurement and security can defend.
Can we restrict AI training on our data and creative assets?
Yes. We prohibit training and derivative use by contract unless you opt in, require deletion and certification at termination, and add disclosures when generated or simulated content is used.