Privacy Policy

Last Updated: June 1, 2025

This privacy notice for SALT Strategic Advisory ("Company," "we," "us," or "our"), describes how and why we might collect, store, use, and/or share ("process") your information when you use our services ("Services"), such as when you:

• Visit our website at https://saltstrat.com, or any website of ours that links to this privacy notice
• Use our PDF report viewer and analytics platform
• Interact with our SITREP AI chatbot
• Submit inquiries through our contact forms
• Engage with us in other related ways, including any sales, marketing, or events

Questions or concerns? Reading this privacy notice will help you understand your privacy rights and choices. If you do not agree with our policies and practices, please do not use our Services. If you still have any questions or concerns, please contact us at secure@saltstrat.com.

Summary of Key Points

What personal information do we process? When you visit, use, or navigate our Services, we may process personal information depending on how you interact with us and the Services, the choices you make, and the products and features you use. This includes data from contact forms, analytics from our PDF reader (anonymous), interaction data with our SITREP AI chatbot (anonymized), and data collected by Google Analytics (if you consent).

Do we process any sensitive personal information? We do not process sensitive personal information. However, you should avoid inputting sensitive personal information into free-text fields like our contact form or AI chatbot.

Do we receive any information from third parties? We may receive information from third-party service providers such as Google (for Analytics, Workspace, and AI services), but analytics data from Google Analytics is only collected with your explicit consent.

How do we process your information? We process your information to provide, improve, and administer our Services, communicate with you (e.g., responding to contact form submissions stored in Google Workspace and Firestore), for security and fraud prevention, and to comply with law. Our PDF reader tracks basic usage metrics anonymously (e.g., time spent on pages) stored in Firestore for service improvement. Our SITREP AI chatbot interactions (inputs/outputs) are tracked anonymously in Firestore, and Google may use this data for training purposes as per their policies. We process your information only when we have a valid legal reason to do so.

In what situations and with which parties do we share personal information? We may share information in specific situations and with specific third parties including Google (Analytics, Workspace, AI services), Firestore (database storage), and other essential service providers. For details on Google's privacy practices, see Google's partner policy and Google Analytics data practices. Contact form submissions are processed via email to our team (stored in Google Workspace, see Google Workspace privacy) and saved in Firestore.

What are your rights? Depending on where you are located geographically, the applicable privacy law may mean you have certain rights regarding your personal information, including rights under GDPR, CCPA, and Middle Eastern data protection laws.

Table of Contents

1. What Information Do We Collect?
2. How Do We Process Your Information?
3. What Legal Bases Do We Rely On to Process Your Personal Information?
4. When and With Whom Do We Share Your Personal Information?
5. Do We Use Cookies and Other Tracking Technologies?
6. International Data Transfers
7. How Long Do We Keep Your Information?
8. How Do We Keep Your Information Safe?
9. Do We Collect Information from Minors?
10. What Are Your Privacy Rights?
11. Controls for Do-Not-Track Features
12. Do California Residents Have Specific Privacy Rights?
13. Do European Union Residents Have Specific Privacy Rights?
14. Do Other US State Residents Have Specific Privacy Rights?
15. Do Middle East Residents Have Specific Privacy Rights?
16. Data Breach Notification
17. Automated Decision Making
18. Do We Make Updates to This Notice?
19. How Can You Contact Us About This Notice?
20. How Can You Review, Update, or Delete the Data We Collect From You?

1. What Information Do We Collect?

Personal Information You Disclose to Us

In Short: We collect personal information that you provide to us, primarily through our contact form.

Personal Information Provided by You. The personal information that we collect depends on the context of your interactions with us and the Services, the choices you make, and the products and features you use. The personal information we collect when you use our contact form may include the following:

• Names and contact details (name, email address)
• Subject of your inquiry
• Message content and details of your inquiry
• Communication records and correspondence (these are stored in our Google Workspace inboxes and may be logged in our Firestore database)

Information Automatically Collected

In Short: Some information — such as your IP address and/or browser and device characteristics — is collected automatically when you visit our Services. We also collect anonymous usage data from our PDF reader and AI Chatbot, and conditional data via Google Analytics.

We automatically collect certain information when you visit, use, or navigate the Services. This information does not reveal your specific identity (like your name or contact information) but may include device and usage information, such as your IP address, browser and device characteristics, operating system, language preferences, referring URLs, device name, country, location, information about how and when you use our Services, and other technical information.

Log and Usage Data: This data is service-related, diagnostic, usage, and performance information our servers automatically collect when you access or use our Services and which we record in log files. Depending on how you interact with us, this log data may include your IP address, device information, browser type, and settings and information about your activity in the Services (such as the date/time stamps associated with your usage, pages and files viewed, searches, and other actions you take such as which features you use), device event information (such as system activity, error reports, and hardware settings), and user agent strings.

PDF Report Analytics Data

Our PDF reader tracks basic usage events anonymously to help us understand report engagement and improve user experience. This data is not linked to personally identifiable information unless you are logged in (currently, user login is not implemented for this feature) or have provided contact information elsewhere. This data is stored in our Firestore database (`appAnalytics` collection) and includes:

• Report Engagement Events: Opening of a report (including report ID, title, total pages).
• Page View Events: Viewing a specific page (including page number, previous page, duration spent on the previous page).
• Navigation Events: Use of pagination controls (e.g., next/previous page clicks, specific page jumps, direction of navigation).
• Interaction Events: Use of features like zoom or full-screen mode.
• Error Events: Any errors encountered while loading the report or specific pages.
• Associated Data: These events also include the report ID and title for context. Technical data like user agent strings and general path information are logged broadly by our analytics provider for all site visits.

AI Chatbot Interaction Data

Our SITREP AI chatbot collects and processes the following data, which is anonymized and stored in our Firestore database (`appAnalytics` collection), to improve its functionality and understand usage patterns:

• Chat inputs: Questions, commands, and text you submit to the chatbot.
• Chat outputs: Responses generated by our AI system.
• Session data: Interaction patterns, conversation flow, timestamp information (client and server-side).
• Usage analytics: Feature usage, response quality metrics, error logs (including error messages and details if issues occur).

Important Notice: While we anonymize this data on our end for storage in Firestore (meaning we don't directly link it to specific user accounts in the chat system itself), please be aware that Google, as our AI service provider (Genkit using Gemini models), may use anonymized data from our AI services for training and improving their machine learning models in accordance with their privacy policies. For more information on how Google handles data, please see Google's data practices. Do not input sensitive personal information into the chatbot.

Google Analytics Data (Conditional)

We use Google Analytics (Measurement ID: G-6HJFKZFE9V) to collect website traffic data, but only if you accept the privacy disclaimer popup on our website (i.e., provide consent for analytics cookies). If consent is given, Google Analytics may collect:

• Page views and site navigation patterns
• Time spent on pages and bounce rates
• Geographic location (country/region level)
• Device and browser information
• Traffic sources and referral information
• Custom events and goal completions

This data is processed by Google and subject to Google's Privacy Policy. You can learn more about how Google uses data when you use our partners' sites or apps at www.google.com/policies/privacy/partners/. You can opt out of Google Analytics tracking at any time through our cookie preferences banner or by visiting the Google Analytics Opt-out Browser Add-on.

2. How Do We Process Your Information?

In Short: We process your information to provide, improve, and administer our Services, communicate with you, for security and fraud prevention, and to comply with law. We may also process your information for other purposes with your consent.

We process your personal information for a variety of reasons, depending on how you interact with our Services, including:

• To deliver and facilitate delivery of services to the user: We may process your information to provide you with the requested service, such as displaying PDF reports or providing responses via the AI chatbot.
• To respond to user inquiries/offer support to users: We may process your information (from contact forms) to respond to your inquiries and solve any potential issues you might have with the requested service. This includes storing your communication in Google Workspace and Firestore.
• To send administrative information to you: We may process your information to send you details about our products and services, changes to our terms and policies, and other similar information.
• To evaluate and improve our Services, products, marketing, and your experience: We process anonymized data from the PDF reader and AI chatbot (stored in Firestore), and data from Google Analytics (if consented), to identify usage trends, determine the effectiveness of our content, and to evaluate and improve our Services and user experience.
• To identify usage trends: As above, information about how you use our Services helps us understand how they are being used so we can improve them.
• To comply with our legal obligations: We may process your information to comply with our legal obligations, respond to legal requests, and exercise, establish, or defend our legal rights.

3. What Legal Bases Do We Rely On to Process Your Personal Information?

In Short: We only process your personal information when we believe it is necessary and we have a valid legal reason (i.e., legal basis) to do so under applicable law, like with your consent, to comply with laws, to provide you with services to enter into or fulfill our contractual obligations, to protect your rights, or to fulfill our legitimate business interests.

If you are located in the EU or UK, this section applies to you.

The General Data Protection Regulation (GDPR) and UK GDPR require us to explain the valid legal bases we rely on in order to process your personal information. As such, we may rely on the following legal bases to process your personal information:

• Consent: We may process your information if you have given us permission (i.e., consent) to use your personal information for a specific purpose (e.g., for Google Analytics cookies). You can withdraw your consent at any time.
• Performance of a Contract: We may process your personal information when we believe it is necessary to fulfill our contractual obligations to you, including providing our Services or at your request prior to entering into a contract with you (e.g., responding to a contact form inquiry).
• Legitimate Interests: We may process your information when we believe it is reasonably necessary to achieve our legitimate business interests and those interests do not outweigh your privacy rights and interests. For example, we process anonymized PDF reader and AI chatbot usage data (stored in Firestore) under legitimate interest to improve our Services.
• Legal Obligations: We may process your information where we believe it is necessary for compliance with our legal obligations, such as to cooperate with a law enforcement body or regulatory agency, exercise or defend our legal rights, or disclose your information as evidence in litigation in which we are involved.
• Vital Interests: We may process your information where we believe it is necessary to protect your vital interests or the vital interests of a third party, such as situations involving potential threats to the safety of any person.

4. When and With Whom Do We Share Your Personal Information?

In Short: We may share information in specific situations described in this section and/or with the following categories of third parties. Information from contact forms is stored in Google Workspace and Firestore. Anonymous PDF reader and AI chatbot data is stored in Firestore. Google Analytics data (if consented) is shared with Google. Google may use anonymized AI data for model training.

Vendors, Consultants, and Other Third-Party Service Providers: We may share your data with third-party vendors, service providers, contractors, or agents ("third parties") who perform services for us or on our behalf and require access to such information to do that work. We have contracts in place with our third parties, which are designed to help safeguard your personal information.

The categories of third parties we may share personal information with are as follows:

• Google LLC (multiple services):
  • Google Analytics for website analytics (when consented, see Google's partner policy and Google Analytics data practices).
  • Google Workspace for email communication (contact form submissions) and document storage (see Google Workspace privacy).
  • Google AI services (Genkit using Google Gemini models) for chatbot functionality. Google may use anonymized AI interaction data for model training (see Google's GenAI data governance).
• Google Firestore: Database hosting for storing contact form submissions (in `contactSubmissions` collection), anonymous PDF reader analytics, and anonymized AI chatbot interactions (both in `appAnalytics` collection).
• Communication Services: Email service providers (Nodemailer via SMTP configured with your SMTP provider for contact form notifications).
• IT and System Administration Services: Cloud hosting (Firebase App Hosting), database management, and technical support providers.

We also may need to share your personal information in the following situations:

• Business Transfers: We may share or transfer your information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company.
• Legal Requirements: We may disclose your information where we are legally required to do so in order to comply with applicable law, governmental requests, a judicial proceeding, court order, or legal process.
• Vital Interests and Legal Rights: We may disclose your information where we believe it is necessary to investigate, prevent, or take action regarding potential violations of our policies, suspected fraud, situations involving potential threats to the safety of any person and illegal activities, or as evidence in litigation in which we are involved.

5. Do We Use Cookies and Other Tracking Technologies?

In Short: We use cookies for Google Analytics (conditionally) and may use other tracking technologies like `localStorage` for essential site functionality (e.g., remembering cookie consent).

We use cookies and similar tracking technologies (like web beacons and pixels, and `localStorage`) to access or store information. Specific information about how we use such technologies and how you can refuse certain cookies is set out below.

Cookie Categories:

• Strictly Necessary Cookies & `localStorage`: These are essential for the website to function properly. They enable core functionality such as security, network management, and accessibility. Our PDF reader relies on standard browser functionalities that may use `localStorage` for features like remembering the last viewed page but these are not used for cross-site tracking. We also use `localStorage` to store your cookie consent preferences.
• Analytics Cookies (Optional): We use Google Analytics cookies (only with your explicit consent via our cookie banner) to collect information about how visitors use our Site. These cookies collect information in an anonymous form.

Managing Cookie Preferences:

You can control and/or delete cookies as you wish. You can manage your cookie preferences through:

• Our cookie consent banner (appears on first visit)
• Your browser settings
• Google Analytics opt-out: https://tools.google.com/dlpage/gaoptout

6. International Data Transfers

In Short: We may transfer, store, and process your information in countries other than your own, primarily where our service providers (like Google) operate servers.

Our servers (provided by Firebase/Google Cloud) are located in multiple countries, and we use service providers (e.g., Google for Analytics, Workspace, AI services, and Firestore) that may be located in different countries around the world, including the United States. This means that when we collect your personal information, it may be processed in any of these countries.

Safeguards for International Transfers:

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we will only transfer your personal information to countries that have been deemed to provide an adequate level of protection or are covered by appropriate safeguards, such as Standard Contractual Clauses approved by relevant authorities. Google, as a major service provider, has implemented such safeguards for its services.

7. How Long Do We Keep Your Information?

In Short: We keep your information for as long as necessary to fulfill the purposes outlined in this privacy notice unless otherwise required by law.

Retention Periods by Data Type:

• Contact Form Data (Firestore & Google Workspace): Retained for up to 3 years from last communication or until you request deletion. Emails in Google Workspace are subject to Google's retention policies.
• Analytics Data (PDF, Chatbot in Firestore `appAnalytics` collection, anonymous): Retained for up to 2 years for statistical analysis and service improvement.
• Website Analytics (Google Analytics, if consented): Data retained according to our configured retention period in Google Analytics (currently 26 months by default, check your GA settings).
• Legal and Compliance Records: Retained as required by applicable law.

When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize such information, or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.

8. How Do We Keep Your Information Safe?

In Short: We aim to protect your personal information through a system of organizational and technical security measures.

We have implemented appropriate and reasonable technical and organizational security measures designed to protect the security of any personal information we process. However, despite our safeguards and efforts to secure your information, no electronic transmission over the Internet or information storage technology can be guaranteed to be 100% secure.

Security Measures Include:

• Encryption of data in transit (HTTPS) and at rest where feasible with our providers (e.g., Firestore).
• Access controls and authentication mechanisms for our internal systems.
• Secure hosting environments (Firebase, Google Cloud Platform).
• Regular review of security practices of our third-party providers.
• Use of Firestore Security Rules to control access to data.

9. Do We Collect Information from Minors?

In Short: We do not knowingly collect data from or market to children under 18 years of age.

Our Services are not directed to children under 18. If you become aware of any data we may have collected from children under age 18, please contact us at secure@saltstrat.com.

10. What Are Your Privacy Rights?

In Short: Depending on your location, you may have certain rights regarding your personal information, such as access, correction, deletion, or objection to processing.

Withdrawing your consent: If we are relying on your consent to process your personal information (e.g., for Google Analytics), you have the right to withdraw your consent at any time via our cookie consent banner or by contacting us.

Opting out of marketing and promotional communications: We currently do not send marketing or promotional communications. If we do in the future, you will be able to unsubscribe from our marketing and promotional communications at any time by clicking on the unsubscribe link in the emails that we send, or by contacting us.

Cookies and similar technologies: You can manage your cookie preferences via our cookie consent banner or your browser settings.

For specific rights under GDPR, CCPA, etc., please see the relevant sections below.

11. Controls for Do-Not-Track Features

Most web browsers and some mobile operating systems include a Do-Not-Track ("DNT") feature. We do not currently respond to DNT browser signals or any other mechanism that automatically communicates your choice not to be tracked online.

12. Do California Residents Have Specific Privacy Rights?

In Short: Yes, if you are a resident of California, you are granted specific rights regarding access to your personal information under the CCPA.

Your rights include the right to request information about our data collection practices, to request deletion of your personal information, and to not be discriminated against for exercising your privacy rights. We do not "sell" personal information as commonly defined by the CCPA. To make a request, please contact us at secure@saltstrat.com.

13. Do European Union Residents Have Specific Privacy Rights?

In Short: Yes, if you are a resident of the European Economic Area (EEA), United Kingdom, or Switzerland, you have specific rights regarding your personal information under the GDPR.

Your rights include the right to access, rectification, erasure, restriction of processing, data portability, and to object to processing. To exercise these rights, or to lodge a complaint with a supervisory authority, please contact us or your local data protection authority.

Supervisory Authority Contact Information:

• EU: Find your local DPA at https://edpb.europa.eu/about-edpb/board/members_en
• UK: Information Commissioner's Office (ICO) - https://ico.org.uk/

14. Do Other US State Residents Have Specific Privacy Rights?

In Short: Residents of Colorado, Connecticut, Utah, and Virginia may have specific rights under their state privacy laws.

These rights may include the right to access, correct, delete, or obtain a copy of your personal data, and to opt out of targeted advertising or the sale of personal data. Contact us to exercise these rights.

15. Do Middle East Residents Have Specific Privacy Rights?

In Short: Residents of certain Middle Eastern countries may have specific privacy rights under local data protection laws (e.g., UAE, Saudi Arabia, Qatar). We aim to comply with applicable local requirements.

16. Data Breach Notification

In Short: We have procedures in place and will notify relevant authorities and affected individuals as required by law in case of a data breach.

17. Automated Decision Making

In Short: We do not use automated decision-making or profiling that produces legal or similarly significant effects concerning you.

Our AI chatbot provides informational responses based on the SITREPs but does not make automated decisions about you with legal or significant effects.

18. Do We Make Updates to This Notice?

In Short: Yes, we will update this notice as necessary to stay compliant with relevant laws. The "Last Updated" date will indicate changes.

19. How Can You Contact Us About This Notice?

If you have questions or comments about this notice, you may email us at secure@saltstrat.com or contact us at:

SALT Strategic Advisory
Email: secure@saltstrat.com
Website: https://saltstrat.com

20. How Can You Review, Update, or Delete the Data We Collect From You?

In Short: To request to review, update, or delete your personal information, please contact us at secure@saltstrat.com.

Based on the applicable laws of your country, you may have the right to request access to the personal information we collect from you, change that information, or delete it. We will respond to your request within the timeframe required by applicable law.