Privacy Policy

Last updated: June 8, 2026

Neon Deer Data Labs, Inc. ("we", "us" or "our") respects your privacy and is committed to protecting it. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website or use our publicly‑available tools and services (collectively, the "Services").

1. Scope

This Policy governs personal data we collect and process in connection with our public website and tools only. Any personal data you share with us as part of a consulting engagement is governed exclusively by the terms of your Professional Services Agreement (PSA) and the attached Data Processing Addendum (DPA), if applicable, which supersede this Policy.

2. Information We Collect

2.1 Information You Provide

Contact details (name, email, company, role) when you fill out a form or email us;
Meeting details when you schedule via third‑party tools (e.g. Calendly);
Credentials or tokens if you choose to connect a third‑party service (e.g. OAuth to Attio).

2.2 Automatically Collected Information

We use two privacy-respecting analytics scripts on every page so we can understand which pages are useful and how visitors get to them. Neither script sets cookies, builds a profile of you across sites, or collects information you've typed into the page. See section 4 for the full subprocessor list with vendor privacy links.

Plausible Analytics: cookieless site analytics for human visitors. Captures the page URL, the referrer, your browser type, and a coarse country derived from your IP. No cross‑site tracking; no personal identifiers.
Rampify (browser): cookieless marketing telemetry for human visitors. Captures the page URL and the referrer.
Rampify (server-side bot tracker): a Netlify edge function that fires only when the visitor's user-agent identifies as a search-engine crawler (Googlebot, Bingbot, etc.), an LLM agent (ChatGPT-User, Claude-User, PerplexityBot, etc.), a link-preview unfurler (Slackbot, Discordbot, etc.), a headless browser or automation client (HeadlessChrome, Playwright, Puppeteer, curl, wget, Python requests, etc.), or a performance / uptime monitor (Lighthouse, PageSpeed, Pingdom, UptimeRobot, etc.). When it fires, it sends Rampify the request path (query string is stripped before sending), the referrer header (capped at 1024 characters), the user-agent string (capped at 1024 characters), a coarse country and region code derived from your IP by Netlify (your IP itself is never forwarded to Rampify), and the first language code from your Accept-Language header. This tracker does not fire for regular browser traffic.
Server logs (from our hosting provider, Netlify): IP address, browser type, referrer URL, requested path. Used for availability and abuse detection; retained per Netlify's policy.

3. How We Use Your Information

To provide, maintain, and improve our Services;
To communicate with you (e.g. respond to inquiries, send updates);
To schedule and conduct meetings or demos;
To analyze usage trends and troubleshoot issues;
To comply with legal obligations.

4. Third‑party processors

We do not sell or rent your personal data. The list below is the complete set of third‑party processors that may receive your data through our Services, what they do for us, what categories of data they receive, and a link to each vendor's privacy policy. We update this list whenever we add or remove a processor. It is the source of truth, not a "list available on request."

Site analytics

Plausible Analytics: Privacy-respecting site analytics. Cookieless; no cross-site tracking; no personal data.

Data received:Page URL, referrer, browser type, an anonymized country derived from your IP. No cookies.

When invoked:Loaded on every page of the site.

Vendor privacy policy →

Rampify: Marketing telemetry for content performance and SEO optimization. Runs in two modes: a browser script for human visitors, and a Netlify edge function that captures bot / LLM / link-preview traffic which the browser script never sees because those clients do not execute JavaScript.

Data received:From human visitors (browser script): page URL and referrer. From bot, LLM, automation, and monitoring visitors (server-side edge function, fires only when the user-agent matches a known non-human pattern such as search crawlers like Googlebot/Bingbot, LLM agents like ChatGPT-User/Claude-User/PerplexityBot, link-preview unfurlers like Slackbot/Discordbot, headless browsers and CLI clients like HeadlessChrome/Playwright/curl/wget, and uptime/performance monitors like Lighthouse/Pingdom/UptimeRobot): the request path (query string is stripped before sending), the referrer header (capped at 1024 characters), the user-agent string (capped at 1024 characters), a coarse country and region code derived from your IP by Netlify (your IP itself is never forwarded to Rampify), and the first language code from your Accept-Language header. The edge tracker never fires for regular browser traffic.

When invoked:Browser script loaded on every page of the site. Edge function attached to every path but pass-through for any user-agent not on the bot / LLM / unfurler list.

Vendor privacy policy →

Hosting and infrastructure

Netlify: Static site hosting, serverless functions, and edge functions.

Data received:Server logs (IP address, browser type, referrer URL, requested path). Function invocation logs.

When invoked:All traffic to the site terminates at Netlify.

Vendor privacy policy →

Forms and lead capture

Fillout: Embedded contact and lead-capture forms.

Data received:Whatever you submit through a Fillout-rendered form (name, email, message, etc.). The embed iframe also receives standard browser fingerprint information (user-agent, screen size, referrer) as part of its load; see Fillout's privacy policy for the full list.

When invoked:Loaded only on /contact-us/ and a small number of integration pages with an "install gate" form. Not loaded on other pages.

Vendor privacy policy →

Scheduling and calendaring

Calendly: Meeting scheduling.

Data received:Name, email, scheduled meeting time, and any extra fields you fill in at booking.

When invoked:Loaded only when you open a scheduling link from a CTA on the site.

Vendor privacy policy →

Embedded media

YouTube (privacy-enhanced mode): Embedded product walkthrough videos. We use YouTube's privacy-enhanced (youtube-nocookie.com) embed domain, which does not set tracking cookies until a viewer clicks play.

Data received:On video load: standard browser request information (user-agent, screen size, referrer). On play: viewing data per YouTube's privacy policy.

When invoked:Loaded only on a small number of tool and integration pages that include a product walkthrough video.

Vendor privacy policy →

CRM (only via OAuth)

Attio: Customer relationship management; only invoked through explicit OAuth consent when you connect a workspace.

Data received:OAuth tokens (encrypted at rest). Any CRM data you authorize us to read or write on your behalf.

When invoked:Server-to-server only; never loaded as a script in your browser.

Vendor privacy policy →

We may also share aggregated or de‑identified information that cannot reasonably be used to identify you. We may share personal data with our professional advisors (lawyers, accountants), with an affiliate or acquirer in connection with a merger or acquisition, and with law enforcement or legal authorities where required by law.

5. Cookies and tracking

We do not set any first‑party cookies on this site. The two analytics scripts described in section 2.2 are cookieless. Embedded third‑party widgets (Fillout forms, Calendly scheduling) may set their own cookies when you interact with them; those are governed by the respective vendor's privacy policy linked above. If we ever introduce a tracking technology that builds a profile of you across sites, this policy will be updated and you will be notified via the "Last updated" date.

6. Data Security

We do not persistently store personal data on our systems. The only credentials we temporarily handle are OAuth tokens necessary to facilitate integrations with third‑party services. All such tokens are encrypted at rest and in transit, and are retained only for as long as required to maintain your authenticated session.

All data in transit is protected by HTTPS/TLS encryption;
OAuth tokens are encrypted at rest and accessible only to authorized processes;
We host our services on reputable platforms (Netlify, Supabase) that provide industry‑standard physical and network security;
We apply regular dependency updates and secure configuration management.

Because we do not retain personal data beyond what is needed for OAuth sessions, our exposure to data breaches is minimal. In the unlikely event of a security incident involving OAuth credentials, we will promptly investigate, contain, and remediate the issue and notify you and any applicable regulators as required by law.

7. Your Rights

Depending on where you live, you may have rights under applicable privacy laws, including to access, correct, delete, or port your personal data, or to withdraw consent. To exercise any rights, contact us using the details below.

8. Children's Privacy

Our Services are not intended for children under 13. We do not knowingly collect personal data from anyone under 13.

9. Updates to This Policy

We may update this Privacy Policy from time to time. The "Last updated" date will change when we do. Please review it periodically. Your continued use of our Services constitutes acceptance of any changes.

10. Contact Us

If you have any questions about this Privacy Policy, please contact us:

NEON DEER DATA LABS, INC.
100 N HOWARD ST
STE R
SPOKANE, WA 99201

Email: privacy@neondeerdata.com