Privacy policy.

01Who we are.

Sproutling & Co. is the data controller for this site and our client engagements.

We're a fractional growth team based in Santa Cruz County, California. When this policy says "we," "us," or "our," it means Sproutling & Co. When it says "you," it means anyone visiting our website, filling in a form, signing up for our newsletter, or working with us as a client or prospective client.

02What we collect.

We collect only what we need to do our job and to talk to you.

Information you give us

• Contact form & consultation requests — name, email, phone (if you provide it), company, project topic, budget range, and your message.
• Engagement information — names, emails and roles of people we need to coordinate with; project documents and access credentials you share for us to do the work.
• Email correspondence — anything you write to us.

Information collected automatically

• Server logs — standard web-server logs kept by our hosting provider (IP address, pages requested, browser type), used for security and reliability, not for profiling.
• Cookies & similar technologies — currently none; see our cookie policy for the up-to-date answer.

03How we use it.

We use your information to deliver what you've asked for and to run our business responsibly.

• Respond to inquiries and schedule consultations.
• Provide the services described in your engagement letter or SOW.
• Send transactional messages (e.g. invoices, project updates, IT alerts).
• Improve our website and understand how visitors use it.
• Meet legal, tax and accounting obligations.

We do not use your information for behavioral advertising. We do not build marketing profiles on you. We will not email you marketing material unless you explicitly opt in to our newsletter — and if you ever do, you can unsubscribe with one click at the bottom of any email.

04Legal basis for processing.

Where applicable laws require us to identify a legal basis, here's how we think about it.

• Contract — to take steps at your request before entering, or to perform, a contract with you.
• Legitimate interests — to operate, secure and improve our site and services in ways you'd reasonably expect.
• Consent — for newsletter sign-ups and any non-essential cookies (see cookies policy).
• Legal obligation — to comply with applicable tax, accounting and regulatory requirements.

05Who we share with.

A short list. We never sell or rent your personal information.

Service providers we use

• Email & calendar — Google Workspace.
• Website hosting — a US-based managed hosting provider.
• Analytics — none today; if we adopt a privacy-respecting analytics tool, we'll name it here and in the cookie policy first.
• Payment processing — Stripe (for invoices we issue).
• Project & documents — Notion / Google Drive for collaboration; DocuSeal for e-signatures.
• Vetted subcontractors — when an engagement requires it, under written confidentiality.

Other disclosures

We will disclose information when required by law, valid legal process, or to protect rights, property, or safety (ours, yours, or others'). In the event of a sale, merger or reorganization, your information may transfer with the business, subject to this policy.

06How long we keep it.

As long as we need it for the purpose we collected it — no longer.

• Contact-form messages that don't lead to an engagement — up to 24 months.
• Client project records — retained for the duration of the engagement and 7 years after, to support tax and audit obligations.
• Newsletter subscribers — until you unsubscribe.
• Server logs — per our hosting provider's standard rotation, typically 30–90 days.

07Your rights.

If you are a California resident, the California Consumer Privacy Act (CCPA/CPRA) gives you specific rights over your personal information. We extend most of these rights to everyone who interacts with us, regardless of residency.

• Know — what information we have about you and how we use it.
• Access — a copy of your personal information in a portable format.
• Correct — request that we fix inaccurate information.
• Delete — ask us to delete your personal information, subject to legal retention obligations.
• Opt out of sale or sharing — not applicable; we don't sell or share for cross-context behavioral advertising.
• Non-discrimination — we won't deny service or charge different prices for exercising any of these rights.

To exercise any right, email us at hello@sproutlingconsulting.com with the subject line "Privacy request." We'll respond within 45 days. For verification, we may ask you to confirm details only the account holder would know.

08Security.

We use reasonable administrative, technical and physical measures to protect your information.

This includes multi-factor authentication on internal accounts, encryption of data in transit and at rest where supported by our service providers, role-based access, and routine review of who has access to what. No system is perfectly secure — if a breach affects your information, we'll notify you and applicable regulators consistent with the law.

09Children.

Our site and services are intended for adults running businesses. We do not knowingly collect personal information from children under 13.

If you believe a child has provided us personal information, please contact us and we'll delete it.

10Changes & contact.

We may update this policy from time to time. We'll change the "Last updated" date at the top and highlight material changes for thirty days.

Questions about your privacy?

Email hello@sproutlingconsulting.com, call (831) 508-7300, or write to: Sproutling & Co., Santa Cruz County, CA. A real human will read it and respond.