Your privacy matters to us.
Last updated: March 10, 2026
This Privacy Policy describes how Tarheel Tactics LLC ("we," "us," or "our") collects, uses, shares, and protects information when you use our websites, applications, and platforms (collectively, the "Services"). By using our Services, you agree to the practices described in this policy.
The short version
- We collect only the data needed to operate our Services.
- We never sell your personal information to third parties.
- We share data with reputable service providers solely to deliver and improve our Services.
- We honor data access, correction, and deletion requests regardless of your location.
- We use encryption in transit and at rest to protect your data.
Information we collect
Information you provide
- Account information: name, email address, and password (hashed and salted — we never store plaintext passwords)
- Profile information: display name, profile picture, date of birth or age range (for age-gated services), and organization or workspace details
- Contact form submissions: name, company, email, and message content
- Content you create: text, media, and other materials submitted through our platforms
- Communications: emails, support requests, and feedback you send us
Information collected automatically
- Device and browser information: type, operating system, and browser version
- Usage data: pages visited, features used, timestamps, and session duration
- Network information: IP address, approximate location, and referring URL
- Error and performance data: crash reports, stack traces, and performance metrics
Information from third-party sources
- Single sign-on providers (e.g., Google): name, email, profile picture, and organization roles when you choose to authenticate with a third-party account
- Marketing and analytics platforms: aggregated campaign performance, website traffic, and search ranking data for clients who authorize access
- Public data sources: demographic, business, and location data used to deliver our services
How we use information
- Service delivery: operate, maintain, and improve our websites, applications, and platforms
- Authentication: verify your identity and manage account access
- Communications: respond to inquiries, send transactional emails, and provide service updates
- Analytics: understand how our Services are used to improve the experience
- Security: detect, prevent, and respond to fraud, abuse, and security incidents
- Legal compliance: meet applicable legal and regulatory obligations
Google API services disclosure
Some of our Services allow you to sign in with your Google account or connect Google services. The data we access depends on the permissions you grant:
Standard sign-in (all users)
When you sign in with Google, we request access to your basic profile information: name, email address, profile picture, and organization or workspace details. This data is used solely for authentication and account creation.
Extended access (opt-in, operators only)
Authorized operators and account owners may choose to grant additional access to Google Workspace services including Gmail, Google Calendar, Google Tasks, and Google Chat. These expanded permissions are requested only when you explicitly enable them and are used solely to provide the operational workflows you have requested. You may revoke these permissions at any time through your Google Account permissions settings.
Marketing data access (authorized clients)
For clients who authorize access, we may connect to Google Ads, Google Analytics, Google Search Console, Google Maps, and Google Sheets APIs to provide marketing intelligence and reporting services. This access is granted per-client and can be revoked at any time.
Limited Use Disclosure
Tarheel Tactics LLC's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
Communications services
Some of our Services include voice and email communication features:
Voice services
Where voice features are enabled, calls may be routed, recorded, and transcribed to deliver the service. Callers are notified before any recording begins. Voice recordings are retained for up to 90 days and are not sold or shared outside of the service delivery context. You may request deletion of recordings at any time.
Email services
We use third-party email delivery providers to send transactional messages such as account verification, notifications, and service updates. We do not send unsolicited marketing emails. You may opt out of non-essential communications at any time.
Third-party service providers
We use reputable third-party services to operate our business and deliver our Services. These providers process data on our behalf under contractual obligations to protect your information. The following is a summary of service categories and providers as of March 2026. Contact us for the most current list.
| Category | Providers | Purpose |
|---|---|---|
| Hosting, CDN & Compute | Amazon Web Services, Google Cloud, Vercel, Apple (self-hosted infrastructure) | Application hosting, content delivery, file storage, compute |
| Database & Storage | Supabase, PostgreSQL, Redis, Upstash, InfluxDB | Relational data, key-value cache, time-series metrics |
| Identity & Access | Keycloak, Google OAuth, GitHub OAuth, Tailscale, hCaptcha | Single sign-on, multi-tenant auth, zero-trust networking, bot protection |
| AI & Language Models | OpenAI, Anthropic, ElevenLabs, Nvidia NeMo | Content generation, analysis, voice synthesis, local model inference |
| Analytics & Observability | Google Analytics, PostHog, Vercel Analytics, Prometheus, Grafana | Usage analytics, performance monitoring, dashboards |
| Communications | Gmail, Resend, Twilio, Brevo | Email (transactional and operational), voice services |
| Marketing Intelligence | Google Ads, Google Analytics, Google Search Console, Google Maps, Google Sheets, Firecrawl | Campaign data, traffic analysis, SEO, location data, report delivery, web analysis |
| Payments & Banking | Stripe (including Apple Pay, Google Pay), Mercury | Payment processing, billing, business banking |
| Error Tracking | Sentry | Error monitoring, performance diagnostics |
| Networking & Security | Tailscale, Traefik | VPN mesh networking, reverse proxy, TLS termination |
| Secrets Management | Doppler | Credential storage, environment configuration (no user data) |
| Open Source & Self-Hosted | Keycloak, Traefik, Redis, PostgreSQL, InfluxDB, Prometheus, Grafana, Telegraf, Nvidia NeMo, OpenClaw | Identity, proxy, data, observability, model inference, and agent orchestration — self-hosted on our infrastructure |
This list reflects services in use as of March 2026. For the most current list of service providers, please contact us at info@tarheeltactics.com.
Data sharing
We never sell your personal information. We share data only in the following circumstances:
- Service providers: with the third-party providers listed above, solely to operate and improve our Services, under contractual data protection obligations
- Legal requirements: when required by law, regulation, legal process, or enforceable governmental request
- Safety: to protect the rights, property, or safety of Tarheel Tactics, our users, or the public
- Business transfers: in connection with a merger, acquisition, or sale of assets, with notice to affected users
- With your consent: when you explicitly authorize sharing with a specific third party
Cookies & tracking
We use cookies and similar technologies for:
- Essential cookies: authentication, security, and basic site functionality
- Analytics cookies: understanding how our Services are used (opt-out available via our cookie banner)
You can manage cookie preferences through the cookie consent banner displayed on first visit, or by adjusting your browser settings. Disabling essential cookies may affect site functionality.
Data retention
We retain information based on the type of data and its purpose:
| Data Type | Retention Period | After Deletion Request |
|---|---|---|
| Contact form submissions | Up to 2 years | Removed within 30 days |
| User account data | Duration of account | Removed within 90 days |
| Server logs & error data | 30 days (rolling) | Automatic expiration |
| Database backups | 30 days after primary deletion | Purged on schedule |
| Analytics data | Anonymized, indefinite | N/A (not personally identifiable) |
| Voice recordings | Up to 90 days | Removed within 30 days |
| AI-processed content | Duration of service + 30 days | Removed within 30 days |
* The retention periods above represent our default targets as we work toward normalized data lifecycle practices across our Services. Actual retention requirements for enterprise and consulting engagements may differ based on the terms of the applicable Master Service Agreement (MSA) or Service Level Agreement (SLA). Contact us for details specific to your engagement.
Data security
We implement industry-standard measures to protect your information:
- Encryption in transit (TLS/HTTPS) and at rest (AES-256)
- Passwords hashed and salted using bcrypt — never stored in plaintext
- Role-based access controls and row-level security in our databases
- Secrets managed through dedicated secret management infrastructure
- Regular security reviews and dependency audits
No system is perfectly secure. While we take reasonable steps to protect your data, we cannot guarantee absolute security and encourage you to use strong, unique passwords.
Your rights
Regardless of where you are located, you have the following rights regarding your personal information:
- Access: request a copy of the personal information we hold about you
- Correction: request correction of inaccurate or incomplete information
- Deletion: request deletion of your personal information, subject to legal retention requirements
- Portability: request your data in a machine-readable format (JSON)
- Opt-out: opt out of non-essential communications and analytics tracking
- Revoke access: disconnect third-party accounts (e.g., Google) at any time through your account settings or the provider's permission settings
To exercise any of these rights, contact us at info@tarheeltactics.com. We will respond within 30 days.
Children's privacy
Some of our Services require users to be at least 13 years of age. We do not knowingly collect personal information from children under 13. If we discover that we have collected information from a child under 13, we will promptly delete it. If you believe a child under 13 has provided us with personal information, please contact us immediately.
International data transfers
Tarheel Tactics LLC is based in the United States. Your information may be transferred to, stored, and processed in the United States and other countries where our service providers operate. By using our Services, you consent to the transfer of your information to these locations. We ensure that all transfers are subject to appropriate contractual protections.
Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be communicated by updating the "Last updated" date at the top of this page. For significant changes, we may also provide notice through our Services or via email. Continued use of our Services after changes constitutes acceptance of the updated policy.
Contact
Questions, concerns, or data requests? Email info@tarheeltactics.com. Our mailing address can be provided on request.