Privacy Policy

1. Information We Collect

We collect different types of information to provide and improve our services:

Contact Form Submissions:

Name (so we know what to call you)
Email address (to respond to your inquiry)
Phone number (optional, if you prefer a call)
Message content (to understand what you need)

Marketing Attribution Data:

UTM parameters from links (to understand which marketing works)
Referral source (where you came from before our site)
Landing page (which page you first visited)

Device Information: See Section 2 (Device Fingerprinting) below.

Analytics Data:

Pages you visit on our website
Time spent on each page
Buttons and links you click
General location (city/region, not street address)

Payment Information: Credit card details are processed securely by Stripe, our payment processor. We never store your full card numbers on our servers - only the last 4 digits for reference.

2. Device Fingerprinting

We collect device information to prevent fraud, identify returning visitors, and improve your experience. This is called "device fingerprinting." We're being completely transparent about this practice.

What We Collect:

Screen size and resolution (helps us optimize the design for your device)
Browser type and version (Chrome, Safari, Firefox, etc.)
Operating system (Windows, Mac, iOS, Android, etc.)
Installed fonts (creates a unique device signature)
Time zone (helps with scheduling and analytics)
Language settings (tells us your preferred language)

Why We Do This:

Fraud Prevention: Detect suspicious patterns and protect against spam submissions
Attribution Accuracy: Connect form submissions to the marketing source that brought you to us, even if you visit multiple times
User Experience: Remember your preferences and provide a consistent experience across visits

How to Opt Out: You can block fingerprinting by:

Using privacy-focused browsers (Brave, Firefox with privacy extensions)
Enabling "Do Not Track" in your browser settings
Disabling JavaScript (though this will limit site functionality)
Contacting us to manually opt out

What We DON'T Do: We do NOT use fingerprinting for cross-site tracking, targeted advertising, or selling your data to third parties. Period.

3. Cookies

Cookies are small text files stored on your device. We use several types:

Essential Cookies:

Form submission protection (prevent duplicate submissions)
Theme preference (remember if you chose light or dark mode)
Session cookies (keep you logged in during a visit)

Analytics Cookies:

Google Analytics 4 (anonymized IP addresses, 26-month retention)
PostHog session recordings (planned - helps us see how people use the site)

Marketing Attribution Cookies:

UTM parameter storage (30-day retention to attribute inquiries to correct source)
First-touch and last-touch attribution tracking

You can control cookies through your browser settings or our cookie consent banner. Essential cookies cannot be disabled without breaking site functionality.

4. How We Use Your Information

We use collected information for specific, legitimate purposes:

Respond to Inquiries: Answer your questions and provide information about our services
Deliver Purchased Services: Build your website, provide hosting, deliver support
Improve Our Website: Understand what works and fix what doesn't
Marketing Attribution: Measure which marketing efforts bring clients so we can invest wisely
Send Relevant Communications: Project updates, service notifications, occasional helpful tips (with consent)
Comply with Legal Obligations: Tax records, business filings, legal requests

We will never use your information in ways you wouldn't reasonably expect from a web design service provider.

5. Information Sharing

We share your information only with trusted service providers who help us operate:

Service Providers:

Cloudflare: Website hosting and security
Stripe: Payment processing
Resend: Email delivery service
Cal.com: Appointment scheduling
Google Analytics: Website analytics (anonymized)
PostHog: Product analytics and session recordings (planned)

These providers are contractually bound to protect your data and use it only for the services they provide to us.

Legal Requirements: We may disclose information if required by law, court order, or to protect our rights and safety.

Business Transfers: If Built By Duo is acquired or merged, your information may be transferred to the new owner. You'll be notified of any change in ownership.

NEVER Sold: We will NEVER sell your personal information to third parties for their marketing purposes. This is a core principle we won't compromise.

6. Data Retention

We keep your information only as long as necessary:

Contact Submissions: Stored as long as necessary for business purposes (typically until relationship ends, then archived)
Analytics Data: 26 months (Google Analytics 4 default setting)
Payment Records: 7 years (as required by tax law)
Marketing Attribution: 30 days for active cookies, 12 months for archived attribution reports
Session Recordings: 90 days (when implemented)

After retention periods expire, data is permanently deleted or anonymized so it cannot be linked back to you.

7. Your Rights

You have control over your personal information:

Access Your Data: Request a copy of all personal information we have about you
Correct Inaccuracies: Update incorrect or outdated information
Request Deletion: Ask us to delete your personal information (subject to legal retention requirements)
Opt Out of Marketing: Unsubscribe from marketing emails (service emails still necessary)
Data Portability: Receive your data in a machine-readable format to transfer elsewhere

California Residents (CCPA Rights):

Right to know what personal information is collected
Right to know if personal information is sold or disclosed (we don't sell)
Right to opt out of sale (not applicable - we don't sell data)
Right to deletion (with certain exceptions)
Right to non-discrimination for exercising CCPA rights

EU Residents (GDPR Rights):

Right of access, rectification, and erasure
Right to restrict processing
Right to data portability
Right to object to processing
Right to withdraw consent
Right to lodge a complaint with supervisory authority

To exercise any of these rights, email hello@builtbyduo.com with your request. We'll respond within 30 days.

8. Security

We take data security seriously and use industry-standard practices:

HTTPS Encryption: All data transmitted to and from our site is encrypted in transit
Secure Payment Processing: Stripe handles all payment data with PCI-DSS compliance
Access Controls: Only authorized personnel can access customer data
Regular Security Reviews: We monitor for vulnerabilities and apply updates promptly
Cloudflare Protection: DDoS protection, Web Application Firewall, and bot mitigation

While we implement strong security measures, no system is 100% secure. We'll notify you promptly if we discover a data breach affecting your information.

9. Children's Privacy

Our services are not directed at children under 13 years of age. We do not knowingly collect personal information from children.

If you believe we have collected information from a child under 13, please contact us immediately at hello@builtbyduo.com and we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements.

Posted Updates: The "Last updated" date at the top will always reflect the current version. Check back periodically for changes.

Material Changes: For significant changes affecting how we use your data, we'll notify you via email or a prominent notice on our website at least 30 days before the changes take effect.

11. Contact Us

Questions, concerns, or requests about your privacy? We're here to help.

Email: hello@builtbyduo.com
Response Time: Within 24-48 hours during business days

For privacy-related requests (data access, deletion, corrections), please include "Privacy Request" in your email subject line so we can prioritize it appropriately.

Plain English Summary