01
Data minimization by default
Every collection point — forms, cookies, integrations — captures only what's necessary for the named purpose. Optional fields are explicitly optional; we don't ask for what we won't use.
Loading…
Trust · Privacy
How we handle your data.
Data minimization, purpose-limited processing, region-aware controls, and the operating discipline regulated industries actually require. DPA template available on request under NDA.
- GDPR · UK GDPR · Swiss FADP
- Aligned
- CCPA · CPRA
- Compliant
- PIPEDA
- Aligned
- Global Privacy Control
- Honored
Six pillars
The operating posture, in summary.
These are the principles. The rights and retention sections below document what they translate to in practice.
- 02
Purpose-limited processing
Data collected for a specific purpose stays in that purpose. We don't repurpose lead-form submissions for marketing without explicit re-consent; we don't move customer data into analytics without aggregation and pseudonymization.
- 03
Region-aware handling
GDPR, CCPA, CPRA, PIPEDA — controls map to architectural components, not to a one-size compliance overlay. Data subjects in each region get the rights that region affords, with response SLAs in writing.
- 04
Honored Global Privacy Control
GPC signals are detected at page load. When detected, analytics and advertising categories default to off until the visitor explicitly opts in. CPRA-compliant; works for the future regulations that haven't been written yet.
- 05
Subprocessor governance
Every subprocessor with access to personal data signs a DPA before data flows. List maintained publicly and updated quarterly. BAA chain documented for engagements that touch ePHI.
- 06
Right-to-erasure flows engineered
Deletion requests are an architectural concern, not a customer-service triage. Our data substrate is designed so erasure cascades cleanly across the systems that hold a data subject's records — including derived data and backups within the retention window.
Your rights
Eight rights, honored with named SLAs.
Across GDPR, CCPA, CPRA, and PIPEDA the rights surface differently — but the underlying expectation is the same. Email [email protected] to exercise any of them.
- 01
Access
Request a copy of personal data we hold about you. Delivered within 30 days (45 for complex requests).
- 02
Correction
Request correction of inaccurate or incomplete personal data.
- 03
Erasure
Request deletion where we no longer have a lawful basis to process — subject to applicable retention requirements (audit, regulatory).
- 04
Restriction
Limit processing in specific circumstances — contested accuracy, processing without lawful basis.
- 05
Portability
Receive personal data you provided in a structured, machine-readable format.
- 06
Objection
Object to processing based on legitimate interests — including direct marketing.
- 07
Consent withdrawal
Withdraw consent at any time without affecting prior lawful processing.
- 08
Non-discrimination
Exercise any of these rights without penalty — no price changes, no service denial.
Retention schedule
How long we keep what.
Retention is calibrated to the regulatory frame, the audit requirements, and the legitimate business interest — not to “as long as we like.” Each row below has a documented owner and a quarterly review cadence.
- 01
Form submissions (lead, contact, RFP)
Marketing contacts move to suppression-only state when no engagement occurs for 24 months. Suppression-only retention exists solely to honor opt-outs.
Period
24 months active · 60 months suppression-only after opt-out
- 02
Audit logs (operational)
Hot retention for operational debugging; cold retention for SOC 2 / ISO 27001 / regulator inquiry.
Period
12 months hot · 84 months cold
- 03
Engagement records (DPA-covered)
Customer-controlled. We retain only as long as the DPA requires; deletion follows our standard erasure flow on contract close + retention window.
Period
Per executed DPA with each customer
- 04
Cookie data (analytics)
Plausible runs cookieless; PostHog (when consented) retains 13 months by default with rolling deletion.
Period
13 months
- 05
Press / partner correspondence
Active relationships only. Inactive contacts moved to suppression-only after 24 months of inactivity.
Period
36 months
Privacy contact
DPA, subprocessor list, data-subject request?
Email [email protected]. CITADEL responds within one business day for procurement requests; data-subject requests within 30 days under applicable law.