Privacy Policy
KATES ESSENTIALS LLC (“KE,” “we,” “us,” or “our”) operates the website katesessentials.com and provides branding, creative direction, design, marketing, and related professional services. This Privacy Policy explains what personal information we collect, why we collect it, how we use and share it, how long we keep it, and the rights you have under applicable privacy laws — including the EU/UK General Data Protection Regulation (GDPR), the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), and other U.S. state privacy laws (Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA).
If you have questions about this policy, contact us at brad@katesessentials.com or by mail at the address in Section 15.
1 · Summary at a glance
- We collect the information you submit through inquiry forms, email, phone, or during an engagement, plus basic technical data about your visit.
- We use this information to respond to you, perform our services, improve the site, prevent fraud, and comply with the law.
- We do not sell your personal information. We share it only with service providers who help us run the business, under contract.
- You can request access, correction, deletion, portability, or to opt out of certain processing at any time.
- We retain inquiry data for up to 24 months after last contact and client-engagement data in line with our professional and tax-record obligations (typically 7 years).
2 · Who this applies to
This Privacy Policy applies to (a) visitors to our public website, (b) people who submit our inquiry, contact, booking, or subscription forms, (c) clients and prospective clients, (d) vendors and contractors we engage, and (e) anyone who communicates with us by email, phone, or messaging platform. It does not apply to third-party websites we link to — review their policies separately.
3 · Information we collect
3.1 Information you provide directly
- Identity & contact data: full name, company name, email, phone number, billing and mailing address.
- Inquiry & project data: project goals, timeline, budget range, industry, current platforms, content and files you share with us.
- Payment data: processed by our payment providers (Stripe). We do not store full card numbers on our servers.
- Communication records: emails, messages, call notes, meeting recordings where you have given consent.
- Marketing preferences: newsletter sign-ups, tracking consent, event registrations.
3.2 Information we collect automatically
- Device & connection: IP address (truncated where possible), browser type and version, operating system, device type, referring URL, language.
- Usage data: pages visited, time on page, scroll depth, buttons clicked, UTM parameters, session timestamps.
- Cookies & similar technologies: see Section 9 for details and how to control them.
3.3 Information from third parties
- Advertising platforms (Meta, Google, TikTok) where you interact with our ads.
- Publicly available sources (LinkedIn, company websites) when we qualify a business inquiry.
- Referral partners who send us your inquiry with your consent.
3.4 Information we do NOT knowingly collect
We do not knowingly collect personal information from children under 16. We do not collect biometric data, precise geolocation (lat/long), Social Security Numbers, or health information through the website. If a client engagement requires sensitive data, we will put a separate Data Processing Agreement (DPA) in place.
4 · Why we use your information (legal bases)
Under GDPR we rely on the following legal bases; for U.S. state laws, we process personal information for the business purposes described below.
| Purpose | Data used | Legal basis |
|---|---|---|
| Respond to your inquiry and discuss engagements | Identity, contact, project data | Pre-contractual steps · legitimate interest |
| Deliver services under an engagement | All engagement data | Contract |
| Invoice and collect payment | Identity, billing, payment data | Contract · legal obligation (tax) |
| Operate, secure, and improve the site | Device & usage data | Legitimate interest |
| Measure marketing effectiveness | Usage, cookie data | Consent (where required) |
| Send occasional updates about our work | Email, preferences | Consent (opt-in) |
| Comply with tax, accounting, and legal obligations | Engagement, billing data | Legal obligation |
| Defend or establish legal claims | Any relevant data | Legitimate interest |
We will not use your information for any new purpose that is incompatible with the purpose for which it was originally collected, without notifying you and, where required, obtaining your consent.
5 · How we share information
We share personal information only with the following categories of recipients, under written confidentiality or data-processing terms:
- Service providers & sub-processors we rely on to run the business: Netlify (website hosting & form submissions), Stripe (payments), Google Workspace (email, docs), ProtonMail (email), HubSpot or similar CRM, Figma (design collaboration), Notion (project documentation), Slack (internal communications), accounting and bookkeeping software. A current sub-processor list is available on request.
- Professional advisors — lawyers, accountants, auditors — under duties of confidentiality.
- Subcontractors on an engagement — we require them to maintain confidentiality at least as protective as this policy.
- Law enforcement or regulators when required by a valid subpoena, warrant, court order, or statutory obligation, or to protect our rights, safety, or the rights and safety of others.
- Business transitions — in the event of a merger, acquisition, asset sale, or bankruptcy, personal information may transfer to the successor entity subject to the commitments in this policy.
We do not sell personal information as “sale” is defined under CCPA/CPRA or any U.S. state law, and we have not done so in the preceding 12 months. We do not share personal information for cross-context behavioral advertising in a way that would qualify as “sharing” under CPRA except as controlled by your cookie preferences (Section 9).
6 · International transfers
KE is based in the United States. If you are accessing the site from outside the U.S., your information will be transferred to, stored in, and processed in the U.S. Where required for transfers out of the EU, UK, or Switzerland, we rely on Standard Contractual Clauses (2021 EU SCCs, UK International Data Transfer Addendum, Swiss supplementary clauses) together with supplementary technical and organizational measures. Contact us to request a copy of the relevant transfer mechanism.
7 · How long we keep information
| Category | Retention |
|---|---|
| Unconverted inquiries / prospects | Up to 24 months from last contact, then deleted |
| Active client engagement records | Duration of engagement + 7 years (U.S. tax & professional record obligations) |
| Contracts, SOWs, invoices, payment records | 7 years |
| Website analytics | 14 months, then aggregated or deleted |
| Cookies | Session to 13 months depending on purpose (Section 9) |
| System backups | Rolling 90-day system backups overwritten automatically |
8 · Your rights
Depending on where you live, you may have any or all of the following rights. We will honor valid requests from anyone, regardless of jurisdiction, where operationally feasible.
- Access — get a copy of the personal information we hold about you.
- Correction — correct information that is inaccurate or incomplete.
- Deletion / right to be forgotten — ask us to delete information, subject to our legal retention obligations.
- Portability — receive your data in a structured, machine-readable format.
- Restriction / objection — ask us to pause or stop certain processing.
- Withdraw consent — where we rely on consent, at any time, without affecting prior lawful processing.
- Opt out of sale/sharing (CCPA/CPRA) — we do not sell or share, but you may confirm this preference at any time.
- Opt out of automated decision-making — we do not currently use automated decision-making that produces legal or similarly significant effects.
- Non-discrimination — we will not deny you service, charge you a different price, or provide a lesser level of service for exercising any privacy right.
- Authorized agent — you may designate an agent to exercise rights on your behalf. We may ask for proof of authorization.
- Complaint — you have the right to complain to a supervisory authority (EU: your local DPA; UK: ICO; California: Attorney General or CPPA).
To exercise a right, email brad@katesessentials.com with the subject line Privacy Request. We respond within 30 days (45 days if we need a reasonable extension, with notice). We may ask you to verify your identity before responding. We will not charge a fee for a first request within a 12-month period.
9 · Cookies & tracking technologies
We use a minimal set of cookies and similar technologies to run the site and understand how it performs:
| Type | Purpose | Lifetime |
|---|---|---|
| Strictly necessary | Form submission, anti-spam, session routing | Session |
| Preferences | Remember your consent choices and UI state | Up to 12 months |
| Analytics (with consent) | Aggregate usage stats (e.g., Google Analytics 4, Plausible) | Up to 13 months |
| Marketing (with consent) | Ad measurement on Meta / Google where you consent | Up to 13 months |
You can control cookies in your browser settings and through any in-product consent banner we offer. Blocking strictly-necessary cookies may break form submission and site functionality.
We currently do not respond to “Do Not Track” browser signals because there is no industry consensus on the standard. We do respect Global Privacy Control (GPC) signals as a valid opt-out of sale/sharing under applicable state law.
10 · Security
We maintain reasonable administrative, technical, and physical safeguards designed to protect personal information, including TLS encryption in transit, encrypted storage for sensitive files, least-privilege access controls, multi-factor authentication for all staff accounts, vendor due diligence, and regular review of our practices. No system is perfectly secure; we will notify affected individuals and regulators of a security incident in line with applicable breach-notification laws.
11 · Paid-advertising services (clients)
Where we manage paid advertising campaigns on your behalf (Meta, Google, TikTok, etc.), we may install platform pixels and conversion APIs on your website and access your ad accounts. The data generated through those pixels is processed primarily by the ad platforms as independent controllers under their own privacy terms. We act as a processor of limited campaign-reporting data for you under our SOW and Data Processing Addendum.
12 · Children
The site and services are not directed to children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us and we will promptly delete it.
13 · Third-party links and content
The site may link to third-party websites, social-media platforms, and embedded content (e.g., video players). Those services are controlled by their operators and governed by their own privacy policies. We do not control and are not responsible for their practices.
14 · Changes to this policy
We may update this policy from time to time. If we make material changes, we will update the “Effective” date at the top and, where appropriate, notify you by email or a prominent notice on the site before the changes take effect. Continuing to use the site after the effective date constitutes acceptance of the updated policy.
15 · How to contact us
KATES ESSENTIALS LLC
Attn: Privacy — Bradley Polanco
Massachusetts, USA
Email: brad@katesessentials.com
Phone: +1 (978) 943-2398
For California residents: you may also designate an authorized agent to make requests under CCPA/CPRA. For EU/UK residents: we do not currently have an EU or UK representative under Article 27 GDPR because our processing is not at a threshold requiring one. If that changes, we will update this section.