LEGAL · PRIVACY · v3 — May 26, 2026

How we handle your data.

WarmSignal is a revenue-partnership brand operated by Zenith Synapse LLC. This policy explains what personal information we collect, how we use and share it, who we share it with, how long we keep it, and what rights you have. By using the Services, you agree to this Policy.

Effective date
May 26, 2026
Last updated
May 26, 2026
Company
Zenith Synapse LLC
Brand
WarmSignal
Address
30 N Gould St, STE R, Sheridan, WY 82801
Privacy contact
privacy@zenithsynapse.com
01 · SCOPE

Where this policy applies.

This Policy applies to information we collect:

  • On warmsignal.com and pages that link to this Policy.
  • In emails, forms, proposals, contracts, and other electronic communications with us.
  • Through service integrations you connect to our automations (e.g., CRMs, help desks).

It does not apply to third-party sites, apps, or services that we do not control. Their policies govern their practices.

02 · NOTICE AT COLLECTION

U.S. state consumer-privacy laws.

This Section is our combined Notice at Collection and consumer-rights summary for U.S. state consumer-privacy laws including, where applicable to a given resident, the California Consumer Privacy Act / California Privacy Rights Act (CCPA / CPRA), the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA), the Utah Consumer Privacy Act (UCPA), the Texas Data Privacy and Security Act (TDPSA), the Oregon Consumer Privacy Act (OCPA), the Montana Consumer Data Privacy Act (MCDPA), the Iowa Consumer Data Protection Act, the Delaware Personal Data Privacy Act, the New Jersey Data Privacy Act, the Tennessee Information Protection Act, the Indiana Consumer Data Protection Act, the Maryland Online Data Privacy Act, the Minnesota Consumer Data Privacy Act, the New Hampshire Privacy Act, and the Kentucky Consumer Data Protection Act, in each case to the extent the law applies and we meet its applicability thresholds. Whether a particular law applies to a particular interaction depends on residency, the volume and nature of the data, and the statutory thresholds. If you believe a state law applies and you have not received the disclosures it requires, contact privacy@zenithsynapse.com.

Categories collected:

  • Identifiers (name, business email, phone, IP, cookie/SDK IDs, account login).
  • Professional / Commercial (company, role, service interest, purchase history).
  • Internet / Network activity (pages viewed, referring URL, timestamps, device/browser).
  • Geolocation (coarse) from IP. We do not collect precise geolocation.
  • User Content / Inputs (prompts, configuration files, support tickets).
  • Inferences (service preferences, estimated interests).

Sources: You; your organization; cookies/analytics; public sources; service providers you connect.

Purposes: Provide and secure Services; configure automations; support; analytics and product improvement; personalization/marketing consistent with your choices; compliance; fraud/misuse prevention.

Disclosures for business purposes: Service providers/contractors (hosting, analytics, email, payments, security) under contracts limiting use to our instructions; affiliates for support; legal/safety; business transfers.

"Sale" / "Sharing" (CPRA) and "Targeted Advertising" (other state laws): We do not sell personal information for money or other valuable consideration. We may "share" limited online identifiers with advertising / analytics partners to measure site performance; where this constitutes "sharing" under CPRA or "targeted advertising" / "sale" under other state laws, you may opt out (see Section 08), including via Global Privacy Control (GPC) and other recognized universal opt-out mechanisms where required by law (e.g., Colorado, Connecticut, Texas).

Sensitive Personal Information / Sensitive Data: We do not use or disclose Sensitive Personal Information for purposes requiring a "Limit Use" right under CPRA, and we do not engage in processing of "sensitive data" under other state laws that would trigger an affirmative-consent obligation. If we ever introduce such processing, we will obtain opt-in consent where the applicable state law requires it (e.g., VCDPA, CPA, CTDPA, OCPA, MCDPA, NJDPA, MDODPA, MNCDPA, NHPA, DPDPA, ICDPA, TIPA).

No financial incentives. We do not offer financial incentives or price / service differences in exchange for the retention or sale of personal information under CCPA / CPRA § 1798.125 [settled — verify pinpoint], and we do not offer "bona fide loyalty programs" or similar incentive programs under any state consumer-privacy law.

Retention summary at collection (CPRA). The retention periods for each category collected are stated in Section 10 (Retention). We do not retain personal information longer than reasonably necessary for the purposes disclosed.

03 · INFORMATION WE COLLECT

What enters our systems.

  • You provide: contact details; organization info; credentials/API keys you choose to provide for integrations; content you submit (prompts, data samples, tickets); payment data handled by our payment processor.
  • Automatic collection: device/usage data, cookies/SDKs, log files.
  • Third parties: integrated platforms you connect, public sources, analytics, anti-fraud vendors.

Please do not submit special-category / sensitive data (e.g., health, biometric, precise geolocation, financial account numbers, government IDs) unless we have a mutually executed Data Processing Addendum (DPA) expressly permitting it.

04 · HOW WE USE INFORMATION

The uses we make of it.

  • Operate, maintain, and improve the Services.
  • Configure and administer your account, projects, and integrations.
  • Provide support; respond to inquiries; send administrative notices.
  • Analyze usage; develop features; enhance security and abuse prevention.
  • Personalize content and measure marketing performance per your choices.
  • Comply with law; enforce agreements; protect rights and property.

GDPR legal bases (EEA / UK / Swiss users). Where European data-protection law applies, we rely on the following lawful bases:

  • Contractual necessity (Art. 6(1)(b)) — to deliver the Services you or your organization have engaged us to perform, administer accounts, and execute SOWs.
  • Legitimate interests (Art. 6(1)(f)) — to secure the Services, prevent fraud and abuse, conduct service analytics and product improvement, and carry out limited B2B marketing to professional contacts. We balance these interests against your rights.
  • Consent (Art. 6(1)(a)) — for non-essential cookies, marketing emails where required, and any optional AI-training opt-in (Section 04, AI / Automation Use). You may withdraw consent at any time.
  • Legal obligation (Art. 6(1)(c)) — to meet tax, accounting, anti-fraud, and regulatory-response obligations.

AI / Automation Use: We process "User Content" you supply to run the automations you request, troubleshoot, and ensure security / abuse prevention. Unless you opt in separately in writing, we do not permit third-party model providers to use your User Content or outputs to train their foundation models, and we do not use your User Content to train our own models.

Automated decision-making and profiling. The Services use AI-enabled automation to draft outreach, schedule, score engagement, and produce reports. These outputs are not used to make decisions that produce legal or similarly significant effects about you (such as employment, credit, housing, insurance, education access, or denial of essential services) without meaningful human review. We do not engage in "solely automated decision-making" within the meaning of GDPR Article 22, the CPRA automated decision-making technology (ADMT) regulations [model knowledge — verify], the Colorado Privacy Act profiling rules, or analogous provisions of other U.S. state consumer-privacy laws that grant opt-out rights for profiling in furtherance of decisions producing legal or similarly significant effects. If we introduce such processing in the future, we will provide pre-use notice, an opt-out (or, where required, opt-in), and information about the logic involved and the significance and expected consequences.

AI-generated content. Where we produce AI-generated text, images, audio, or video as part of a deliverable for you, we will disclose that fact to you. Public-facing materials we publish that are substantially AI-generated will be identified as such where required by applicable law (e.g., California AB 2655, AB 2839, SB 942 [model knowledge — verify pinpoint and effective date]).

05 · COOKIES & SIMILAR

What sits in the browser.

We use a small set of cookies and similar browser technologies (local storage, log beacons). The categories below describe what runs on warmsignal.com today. We do not currently deploy a consent management platform (CMP) banner because the site does not load advertising or cross-context behavioral-advertising tags by default; if that changes, we will deploy a CMP that requests consent before non-essential trackers fire, and update this Section.

  • Strictly necessary — session, security, CSRF, and load-balancer cookies set by our hosting platform (Vercel). Always on; cannot be disabled without breaking the site. Typical duration: session to 1 year.
  • Functional / analytics — aggregate page-view, performance, and error telemetry used to diagnose issues and improve the Services. Where enabled, this may include privacy-preserving analytics and Vercel Web Analytics / Speed Insights. Typical duration: up to 13 months.
  • Advertising / retargeting — not enabled by default. If we turn on remarketing pixels in the future, we will surface a consent banner before they fire and update this table.

Third-party font & asset loading. Our pages load typefaces from Google Fonts (fonts.googleapis.com / fonts.gstatic.com). Google may receive your IP address and request metadata when fonts are fetched. Google's handling of that data is governed by the Google Privacy Policy. We treat font CDN requests as strictly necessary and do not use them for advertising or cross-site tracking.

Manage preferences via your browser settings and via Global Privacy Control (GPC) and other recognized universal opt-out mechanisms. We treat valid GPC signals as an opt-out of "sharing" / "sale" / "targeted advertising" for cross-context behavioral advertising where required by California, Colorado, Connecticut, Texas, and other state laws that recognize such signals [model knowledge — verify state-by-state]. Because we do not currently engage in cross-context behavioral advertising on warmsignal.com, GPC has no advertising opt-out to apply today, but the signal is logged and honored if and when such processing begins.

06 · HOW WE DISCLOSE

Who else sees the data.

We may disclose information to:

  • Service providers / contractors acting as processors under written contracts that restrict use to our documented instructions. Current categories and representative vendors include:
    • Hosting & edge infrastructure — Vercel Inc. (USA).
    • Email / inbound messaging — our business-email and ticketing providers used to receive privacy@zenithsynapse.com and hello@warmsignal.com correspondence.
    • Analytics & performance monitoring — first-party and privacy-preserving analytics (e.g., Vercel Web Analytics / Speed Insights) and error telemetry.
    • Font & asset CDNs — Google Fonts (Alphabet Inc., USA).
    • Payments — where invoiced engagements involve card payments, processing is handled by a PCI-DSS-compliant processor; we do not store full card numbers.
    • AI / automation model providers — large-language-model and workflow vendors used solely to perform the automations you configure, under no-training contractual terms unless you opt in.
  • Affiliates supporting the Services under equivalent confidentiality obligations.
  • Business transfers (merger, acquisition, financing, or sale of assets), subject to continued protection of your information.
  • Legal / safety compliance, lawful requests, court orders, or to protect rights, property, and security.

For customers and partners under an executed engagement or DPA, a current sub-processor list reflecting the vendors used for that engagement is available on written request to privacy@zenithsynapse.com. The representative categories above describe the vendor types used for the public marketing site. We do not allow service providers to use your information for their own independent marketing.

07 · THIRD-PARTY SERVICES

Integrations you connect.

If you connect third-party services (e.g., Google, Microsoft, Slack, HubSpot), their use of your information is governed by their terms and privacy policies. Where applicable (e.g., Google API Services), our use and transfer of data obtained from those APIs adheres to the provider's User Data Policy (including "Limited Use").

08 · YOUR CHOICES

How to opt out.

  • Marketing emails: unsubscribe via the footer of any marketing email or contact privacy@zenithsynapse.com. Transactional and account messages are not promotional and cannot be opted out of while you remain a user.
  • Cookies / tracking: use consent tools (where provided), browser settings, and/or GPC; we treat valid GPC signals as an opt-out of "sharing" for cross-context behavioral advertising where required.
  • Do Not Sell or Share My Personal Information: submit a request via privacy@zenithsynapse.com with the subject line "Do Not Sell or Share." A linked submission page is provided in the site footer where required by law.
  • Authorized agents: CCPA / CPRA authorized-agent requests are honored when accompanied by signed permission and reasonable verification of the consumer's identity.
09 · YOUR RIGHTS

What you can ask of us.

Depending on where you live, you may have rights to access / know, rectify / correct, delete, port (receive in a structured, commonly used, machine-readable format such as CSV or JSON), restrict or object to processing, opt out of targeted advertising, opt out of the sale or sharing of personal information, opt out of profiling in furtherance of decisions producing legal or similarly significant effects (where applicable), limit the use of sensitive personal information, withdraw consent, and appeal any decision we make on your request. You are also entitled to be free from unlawful discrimination or retaliation for exercising these rights.

  • How to submit: email privacy@zenithsynapse.com with the subject "Privacy Request" and your state or country of residence. Two methods are available: (i) this email channel, and (ii) where required by your state, a request submission page linked from the site footer. We will verify your identity in a manner proportionate to the sensitivity of the request and consistent with applicable law.
  • Authorized agents. CCPA / CPRA and other state-law authorized-agent requests are honored when accompanied by signed permission from the consumer and reasonable verification of the consumer's identity. We may deny requests we cannot verify.
  • Appeals. If we decline a rights request in whole or in part, you may appeal by replying to our response or emailing privacy@zenithsynapse.com with the subject line "Privacy Appeal." We will respond to appeals within 45 days (or sooner where required, e.g., Virginia, Colorado, Connecticut). If the appeal is denied, you may contact the attorney general or supervisory authority for your state where applicable.
  • Response timing: we acknowledge requests within 10 business days and respond substantively within 30 days for GDPR / UK GDPR requests (extendable by up to two further months for complex requests, with notice) and within 45 days for CCPA / CPRA and other U.S. state-law requests (extendable once by 45 days, with notice) [model knowledge — state-by-state timing varies; verify]. Requests are free in most cases; a reasonable fee may apply only to manifestly unfounded or excessive repeat requests.
  • EEA / UK / Swiss users: see Section 04 for our legal bases. You may lodge a complaint with your local Data Protection Authority (in the UK, the ICO at ico.org.uk; in the EEA, your member-state regulator; in Switzerland, the Federal Data Protection and Information Commissioner / FDPIC). We do not currently have an EU establishment; if we are required to designate an Article 27 EU Representative or UK Representative under Article 27 UK GDPR, we will name them in this Policy and on request. [Operator note: Article 27 representative designation is a policy-level decision pending attorney review.]
  • Data Protection Officer: Zenith Synapse LLC is not currently required to appoint a statutory DPO. Privacy inquiries are handled by our Privacy Lead at privacy@zenithsynapse.com.
10 · RETENTION

How long we hold it.

We retain personal information only for as long as necessary for the purposes described in this Policy, to comply with legal obligations, to resolve disputes, and to enforce agreements. When retention is no longer required, we delete or de-identify the data. Indicative periods:

  • Account & engagement records — for the duration of the customer relationship plus up to 24 months after termination, for support, audit, and renewal continuity.
  • Contracts, SOWs, and billing / tax records — up to 7 years after the engagement ends, to meet U.S. tax, accounting, and audit obligations.
  • Marketing & prospect data — until you unsubscribe or object, and then suppression-list retention only (so we know not to contact you again).
  • Support tickets & correspondence — up to 24 months after closure.
  • Web analytics & performance telemetry — typically 13 months in identifiable form, then aggregated.
  • Security / access logs — typically 90 days for routine logs, longer where needed to investigate incidents.
  • Backups — overwritten on a rolling cycle, generally within 90 days.

Where a longer period is required by law (e.g., litigation hold, regulatory request), we retain the relevant data until that obligation lapses.

11 · SECURITY & BREACH NOTIFICATION

The safeguards we use.

We implement administrative, technical, and physical safeguards designed to protect personal information, including TLS encryption in transit, access controls and least-privilege provisioning, multi-factor authentication for administrative accounts, vendor due diligence, and routine review of our security posture. No method of transmission or storage is 100% secure; you are responsible for safeguarding your credentials.

If we become aware of a personal-data breach that is likely to result in a risk to your rights, we will notify the competent supervisory authority without undue delay and, where feasible, within 72 hours as required by Article 33 GDPR [settled], and we will notify affected individuals as required by Article 34 GDPR and by applicable U.S. state breach-notification laws. U.S. state laws vary on timing (most require notice "in the most expedient time possible and without unreasonable delay," and several impose specific outer limits — e.g., 30, 45, 60, or 90 days from discovery) [model knowledge — verify by state]. Where required, we will also notify state attorneys general, consumer reporting agencies, and other regulators, and where law enforcement requests a delay we will comply.

12 · CHILDREN

Sixteen and over.

The Services are directed to business users and individuals 16 and older. We do not knowingly collect personal information from children under 16, and we do not knowingly collect personal information from children under 13 within the meaning of the U.S. Children's Online Privacy Protection Act (COPPA) [settled] and the FTC's COPPA Rule (including any amendments effective in 2026) [model knowledge — verify effective date]. We do not knowingly engage in the sale, sharing, or targeted advertising of any minor's personal information, and we do not engage in profiling of minors. If you believe a child has provided personal information, contact privacy@zenithsynapse.com and we will delete it promptly. Several U.S. state consumer-privacy laws extend heightened protections to consumers under 18; we honor those protections where applicable.

13 · INTERNATIONAL TRANSFERS

Where the data may travel.

Zenith Synapse LLC is based in the United States, and many of our service providers are located in the United States and other countries that may have different data-protection laws than your jurisdiction. Where personal data is transferred out of the EEA, United Kingdom, or Switzerland to a country without an adequacy decision, we rely on appropriate safeguards, which may include the European Commission's Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum (IDTA) or UK Addendum to the EU SCCs, the Swiss Federal Data Protection and Information Commissioner's approved transfer mechanisms under the revised Swiss Federal Act on Data Protection (FADP), and supplementary technical and organizational measures where required following Schrems II and successor guidance. Where the recipient is in the United States and certified under the EU–US Data Privacy Framework (and its UK Extension / Swiss–US DPF), we rely on that mechanism to the extent applicable [model knowledge — verify current status of frameworks]. A copy of the relevant transfer mechanism is available on request to privacy@zenithsynapse.com.

14 · ADDITIONAL JURISDICTIONAL NOTICES

State-specific addenda.

Washington "My Health My Data" Act and analogous state health-data laws. We do not knowingly collect "consumer health data" within the meaning of the Washington My Health My Data Act [model knowledge — verify], Nevada SB 370, or Connecticut SB 3, and we do not sell or share such data. If you believe you have submitted consumer health data through the Services in error, contact privacy@zenithsynapse.com and we will delete it.

California "Shine the Light." California residents may request information about our disclosures (if any) of personal information to third parties for those third parties' direct-marketing purposes during the preceding calendar year. We do not currently make such disclosures. Submit any such request to privacy@zenithsynapse.com with the subject "Shine the Light Request."

Nevada, Vermont, and other "sale" opt-outs. Nevada residents (NRS 603A) and residents of other states with sale-specific opt-out regimes may direct us not to sell their covered information by emailing privacy@zenithsynapse.com with the subject "Do Not Sell." As noted in Section 02, we do not sell personal information for monetary consideration.

EU AI Act and state AI laws. The Services use general-purpose AI models supplied by third-party providers to perform automation tasks. We do not place a high-risk AI system on the EU market within the meaning of the EU AI Act [model knowledge — verify scope and applicability], and our use of AI is limited to the purposes described in Section 04. Where the Colorado AI Act, California AB 2013 / SB 942, the New York City Automated Employment Decision Tool law, or similar state or local AI-governance laws apply to a specific engagement [model knowledge — verify], we will document our role (deployer vs. developer) and obligations in the applicable SOW or DPA.

Sectoral regimes. The Services are not designed for processing protected health information (HIPAA), nonpublic personal information of financial-institution customers (GLBA), student records (FERPA), or other sector-regulated data, unless a separate Business Associate Agreement, GLBA-compliant arrangement, or equivalent sectoral contract has been executed.

15 · CHANGES

When this policy moves.

We may update this Policy. The Effective date above reflects the latest version. Material changes will be highlighted on the site or by direct notice where required. Continued use means you accept changes.

16 · CONTACT

Reach us.

For privacy questions, rights requests, or to identify our EU / UK Representative if one becomes required, contact our Privacy Lead:

Zenith Synapse LLC — Privacy Lead 30 N Gould St, STE R
Sheridan, WY 82801 · USA
privacy@zenithsynapse.com
Subject lines: "Privacy Request" · "Do Not Sell or Share" · "GDPR Request"

For GDPR / UK GDPR complaints, you may also contact your local supervisory authority. For California residents, you may submit CCPA / CPRA requests to the email above; if a toll-free number is later required by your usage volume, it will be listed here.