Neptune Ops Privacy and Data Policy

The following categories of consumer information may be collected when interacting with Neptune Ops for commercial purposes.

When consumers visit our websites, we and our service providers may automatically collect IP address, device ID, cookie identifiers, browser type, operating system, referring URLs, pages viewed, time spent on pages, general geographic location derived from IP, and interaction data.

Sensitive Personal Information (SPI): Certain datasets we receive from third parties and use for our products and services, including voter file data, may contain information that could qualify as Sensitive Personal Information under applicable law (e.g. political affiliation). Where Sensitive Personal Information is included in datasets, it is used only as necessary for our products and services requested by customers and not for independent profiling outside those purposes. We do not sell or disclose Sensitive Personal Information to demand-side platforms (DSPs) or other advertising partners, and we do not use it to infer characteristics about individuals beyond the scope of the services described in this Policy.

Under GDPR and UK GDPR, online identifiers (IP address, device ID, cookie ID) constitute personal data. Neptune Ops does not operate in or intentionally collect or process political affiliation or voter file information relating to individuals located in the European Economic Area or the United Kingdom. If we become aware that such data has been collected inadvertently, we will take reasonable steps to delete or restrict processing of that information.

Categories of Consumer Information that may be collected by Neptune Ops or third parties we do business with:

We collect information and use integrations from our customers, third party data sources, and other vendors under contract to enhance our business practices and improve the accuracy of our records. When consumers visit our website and/or use a mobile device, their device may share location information (when they enable location services) with our websites, mobile application(s), services, and/or our service providers.

We do not collect personal information directly from individuals for our own marketing purposes. Our primary sources are licensed data vendors, customers, and website interactions as described above.

We may sell and share certain categories of personal information, including identifiers, and inferences, for cross-context behavioral advertising and related analytics purposes as those terms are defined under the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA") and other relevant state laws. "Sell" means disclosing personal information to a third party for monetary or other valuable consideration. "Share" means disclosing personal information to a third party for cross-context behavioral advertising, whether or not for monetary consideration.

We may sell individuals' names and their relationship to identified principals as reflected within the company's proprietary platform. We do not transfer contact lists, including contact information, voter registration details, or consumer attributes, to third parties for their independent use or marketing purposes. However, we do share certain identifiers (such as names, email addresses, phone numbers, and mailing addresses) with demand-side platforms (DSPs) for purposes of cross-context programmatic advertising on behalf of our customers. These disclosures may constitute a 'sale' or 'share' under applicable privacy laws including CPRA, even though we do not sell contact information as a standalone commercial product. We honor verified opt-out rights for all such activities as described in the 'State-Specific Privacy Rights and How to Exercise Them' section of this Policy.

We may sell collected information to our customers through our proprietary platforms, such as names, job information, and relationship to identified principals.

We may share collected information with companies that provide consulting or support services to support our business activities or help us market our products and services. These companies may need information about consumers in order to perform their functions. We limit information shared with service providers to what is necessary to fulfill the services.

Further, we may disclose information we collect when disclosure is necessary to comply with the law, to enforce or apply applicable terms and conditions and other agreements, to facilitate the financing, securitization, insuring, sale, assignment, bankruptcy, or disposal of all or part of our business or assets, or to protect the rights, property, or safety of our company or others. We may share non-identifiable or aggregate information with third parties for lawful purposes.

We do not sell personal information by transferring contact lists for third parties' independent marketing campaigns; however, we may disclose personal information to advertising and analytics partners, including demand-side platforms (DSPs) for purposes of cross-context programmatic advertising, measurement, and campaign analytics. These disclosures may include identifiers (e.g. name, email address, phone number, and mailing address) as well as associated audience or relationship data, where permitted by law. This may be considered a 'sale' or 'share' under applicable privacy laws, and we honor verified opt-out rights for those activities per the request process outlined in the 'State-Specific Privacy Rights and How to Exercise Them' section of this Policy.

We do not enter into agreements with DSPs or advertising partners that would permit them to use personal information disclosed by Neptune Ops for purposes other than those specified in the applicable contract.

We retain personal information only for as long as reasonably necessary and proportionate to achieve the purposes described above, unless a longer retention period is required by law.

We maintain a data retention schedule and periodically review retained data to assess whether continued retention is necessary and proportionate. When personal information is no longer needed, we delete or de-identify it in accordance with our internal data life-cycle procedures.

Website and Service Provider Data Collection: When consumers visit our websites, we and our service providers may automatically collect IP address, device ID, cookie identifiers, browser type, operating system, referring URLs, pages viewed, time spent on pages, general geographic location derived from IP, and interaction data.

Under GDPR and UK GDPR, online identifiers (IP address, device ID, cookie ID) constitute personal data. We do not intentionally collect or process voter files or political profiling data concerning individuals located in the European Economic Area or United Kingdom.

Legal Bases (European Economic Area/United Kingdom): Where GDPR/UK GDPR applies, we rely on consent (Art. 6(1)(a)) for non-essential cookies and analytics technologies and legitimate interests (Art. 6(1)(f)) for security and fraud prevention, network integrity, website functionality, and abuse detection.

Consumers may withdraw consent at any time via the cookie management disclaimer. Cookie choices are available upon initial visit to the site or after deleting/removing cookies from the browser.

For any processing of Special Category data (Art. 9 GDPR) that may be inadvertently received from EEA/UK sources, our lawful basis is Art. 9(2)e (manifestly made public) or Art. 9(2)g (substantial public interest) as applicable.

Vendors: We use third-party service providers (e.g. hosting, analytics, infrastructure, and security vendors). Under GDPR/UK GDPR, these vendors act as processors. Under U.S. law, they act as service providers or contractors. We require contractual safeguards and appropriate data protection measures.

Where GDPR applies, we execute Data Processing Agreements (DPAs) with all processors handling personal data of EEA/UK individuals, as required by GDPR Art. 28.

Website Data Use: We use website visitor data to secure our systems, detect security incidents, and comply with legal obligations. We do not use EU/EEA or UK website visitor data for programmatic advertising or cross-context behavioral advertising.

When consumers visit our websites, we and our service providers may automatically collect essential cookies (e.g., sid, did) to keep accounts secure; however, analytics cookies (e.g., Google Analytics) are optional and set only with a consumer's consent. We honor Global Privacy Control (GPC) by defaulting analytics off when a valid signal is present. See our Cookie Notice for cookie names, purposes, and retention. The Cookie Notice includes a list of all cookies set, their purpose, the party setting them, and their retention period.

Do Not Track Signals (CalOPPA Disclosure): Some browsers offer a "Do Not Track" (DNT) setting. Because there is no uniform industry standard for recognizing or honoring DNT signals, we do not currently respond to browser-based DNT signals. However, we do honor valid Global Privacy Control (GPC) signals as described above. You may also opt-out of online information sharing by setting the Global Privacy Control in your browser before visiting our sites. Learn more at globalprivacycontrol.org.

Third parties such as analytics providers or advertising partners may collect personal information about a consumer's online activities over time and across different websites.

We may disclose personal information to service providers/processors, legal/compliance recipients when required by law or to protect rights, demand-side-platforms (DSPs) for uses of programmatic advertising, successors in interest in the event of a merger, acquisition, or sale of all or part of our business assets, and government or regulatory authorities when required by applicable law, court order, or legal process.

We require service providers to use personal information only to provide services to us.

Neptune Ops qualifies as a "data broker" under certain state laws because we process personal information about individuals with whom we do not have a direct relationship.

We are registered, where required by law, including California, Oregon, Texas, and Vermont. We will update this list as additional state data broker registration requirements take effect.

Residents of these states as noted in the State-Specific Privacy Rights and How to Exercise Them section of this Policy may have rights to request deletion, opt out of sale, and request disclosures about data broker practices.

As a data broker, we maintain compliance records as required by law. In accordance with Vermont law, we maintain a written information security program and conduct reasonable due diligence on purchasers of data. A summary of our data broker registration status, and applicable consumer rights is available upon request by contacting us via the information provided in section 17 of this Policy.

Current California Residents: California residents or their verified authorized agent may exercise their privacy rights under the California Consumer Privacy Act (CCPA)/California Privacy Rights Act (CPRA) through the methods below.

Right to Opt Out of Sale or Sharing: California consumers or authorized agents of California residents may opt out of the sale or sharing of personal information by enabling a valid Global Privacy Control (GPC) signal in a browser, submitting a request through the Neptune Ops LLC Privacy Rights Opt-Out Form, or calling (800) 640-1855.

Access, Deletion, Correction, Portability: California consumers or authorized agents of California residents may request access, deletion, correction, or portability of personal information by submitting a request through the Neptune Ops LLC Privacy Rights ACDR Form or calling (800) 640-1855.

We will not require consumers or authorized agents to create an account, provide government-issued identification, or provide more information than is reasonably necessary to process a consumer's opt-out request. Neptune Ops does not receive or process access, deletion, correction, or portability requests via other methods such as email.

Before fulfilling access, correction, or deletion requests, Neptune Ops may require more information to determine proper verification of identity. Once verified, consumers and authorized agents receive a response via email.

Authorized agents must submit their contact information, information about the Consumer for whom they are making a request, applicable documentation showing the consumer authorized the request on their behalf, and an authorized agent certification.

Once verified, consumers and authorized agents receive a response via email within the timelines required by law and subject to any extensions as permitted by law, including in cases where we are unable to verify or locate any records.

Current California consumers may appeal our decision with respect to a submitted request by responding to the email. If the appeal is denied and the state provides the right to contact the Attorney General, we will provide instructions on how to do so. Neptune will not retaliate against a consumer for exercising their privacy rights. Neptune maintains records of all privacy rights requests for a minimum of 24 months as required by applicable law.

California residents also have the right to request that we provide a list of specific third parties (not categories) to whom we have disclosed personal information for the third parties' own direct marketing purposes, if any, in the preceding calendar year. See the 'Shine the Light' disclosure in section 9 of this Policy.

California Delete Act (DROP Platform): Under the California Delete Act, current California residents may submit a single deletion request through the California Privacy Protection Agency's centralized Data Broker Requests and Opt-Out Platform ("DROP"). Once DROP processing becomes operational (currently expected to begin processing requests on or around August 1, 2026), Neptune Ops will access the DROP platform at least once every 45 days, process verified deletion requests submitted through DROP, direct our service providers and contractors to delete applicable personal information, and maintain records of compliance as required by law.

Consumers may have rights such as: right to know/access what personal information we collect and use; right to delete personal information (subject to legal exceptions); right to correct inaccurate personal information; right to obtain a portable copy of personal information; right to limit use/disclosure of Sensitive Personal Information; and right to not be discriminated against for exercising privacy rights.

Consumers may also submit requests using the process described below:

As a registered data broker, we process deletion requests submitted through the California Privacy Protection Agency's Data Broker Requests and Opt-Out Platform ("DROP"). We access the DROP platform at least once every 45 days and process verified deletion requests within the timeframes required by law.

Right to Limit Use of Sensitive Personal Information: Where applicable, California residents may request that we limit the use and disclosure of Sensitive Personal Information to purposes permitted by law by submitting a request through the Neptune Ops LLC Privacy Rights Opt-Out Form or by calling (800) 640-1855.

California "Shine the Light" Disclosure: Current California residents who have an established business relationship with us may request a notice disclosing the categories of personal information we have shared with third parties, for the third parties' direct marketing purposes, during the preceding calendar year. To request a 'Shine the Light' notice, please submit a request by emailing info@neptuneops.com, sending a request by mail to 945 Market Street, Suite 501, San Francisco, CA 94103, or calling us at (800) 640-1855 and including your preferred method of response. Requests will be responded to within 30 days. If we deny a request, consumers have the right to appeal. If we cannot delete certain information due to legal, contractual, or security obligations, we will inform the consumer consistent with applicable law. We will not discriminate against a consumer for exercising their rights.

Current Residents of Other US States Covered under Privacy Laws: This Section applies to residents of other U.S. states covered under privacy laws and as indicated to residents of the European Economic Union or United Kingdom. Depending on a consumer's state or country of residency, they may have certain privacy rights related to their personal information. The list of current states where privacy laws apply are included in the request forms linked below. Please note Neptune Ops does not at this time operate in or do business within the European Economic Area or the United Kingdom.

States with comprehensive privacy laws currently include (but are not limited to): Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, New Mexico, Oregon, Rhode Island, Tennessee, Texas, and Virginia. We will update our request forms and internal processes as additional state laws take effect.

Right to Opt-out: Current residents of other states covered by privacy laws may opt out of sale/share of Personal Data as defined under applicable state law, targeted advertising defined as displaying advertisements based on personal data obtained from a consumer's activities over time and across nonaffiliated websites or online applications to predict preferences or interests, and profiling in furtherance of decisions that produce legal or similarly significant effects where required by applicable state law, including Colorado and Connecticut.

Consumers of other states covered by privacy laws or their authorized agents may opt out of the sale or sharing of personal information by enabling a valid Global Privacy Control (GPC) signal in a browser, submitting a request through the Neptune Ops LLC Privacy Rights Opt-Out Form, or calling (800) 640-1855.

Right to Confirm and Access, Correct, Delete and Portability of Consumer Information: Consumers of other states covered by privacy laws or their verified authorized agents may request confirmation of whether we process the consumer's personal data and obtain access to that data. Consumers or authorized agents may also request correction of their inaccurate personal data we maintain about the consumer, deletion of their personal data provided by or obtained about the consumer, subject to legal and statutory exceptions (including security, fraud prevention, contractual necessity, and legal compliance), or a portable copy of their personal data previously provided to us, in a technically feasible and readily usable format.

Consumers of other states covered under privacy laws or their authorized agents may submit access, deletion, correction, or portability requests using the Neptune Ops LLC Privacy Rights ACDR Form. We will not require consumers or authorized agents to create an account, provide government-issued identification, or provide more information than is reasonably necessary to process the consumer's opt-out request. Neptune Ops does not receive or process access, deletion, correction, or portability requests via other methods such as email.

Before fulfilling access, correction, or deletion requests from residents of other states, Neptune Ops may require more information to determine proper verification of identity. Once verified, consumers and authorized agents receive a response via email within the timelines required by law and subject to any extensions as permitted by law, including in cases where we are unable to verify or locate any records.

Authorized agents must submit their contact information, information about the Consumer for whom they are making a request, applicable documentation showing the consumer authorized the request on their behalf, and an authorized agent certification.

Once verified, consumers and authorized agents receive a response via email within the timelines required by law and subject to any extensions as permitted by law, including in cases where we are unable to verify or locate any records.

Consumers in states providing appeal rights may appeal our decision with respect to a submitted request by responding to the email. If the appeal is denied and the consumer's state provides the right to contact the Attorney General, we will provide instructions on how to do so. Neptune will not retaliate against a consumer for exercising their privacy rights. Neptune maintains records of all privacy rights requests for a minimum of 24 months as required by applicable law.

Consent to Process Sensitive Personal Data: Certain state laws (including but not limited to, Colorado, Connecticut, Delaware, Florida, Montana, New Hampshire, New Jersey, Oregon, Texas, Virginia) require consumer consent before processing "sensitive data," which may include political affiliation, race or ethnicity, religious beliefs, health information, sexual orientation, citizenship or immigration status, biometric identifiers, precise geolocation data, mental health diagnosis, and genetic data.

Where required by applicable law, we verify consumer information and obtain consent before taking action on the consumer's opt-out, access, correct, deletion, or portability processing request, unless another lawful basis applies. Once verified, consumers or authorized agents receive a response via email.

Authorized agents must submit their contact information, information about the Consumer for whom they are making a request, applicable documentation showing the consumer authorized the request on their behalf, and an authorized agent certification.

Once verified, consumers and authorized agents receive a response via email within the timelines required by law and subject to any extensions as permitted by law, including in cases where we are unable to verify or locate any records.

Consumers for states with appeal rights including Colorado, Connecticut, Virginia, Texas, Oregon, Montana, Delaware, Indiana, Tennessee, New Jersey, and New Hampshire among others may appeal our decision with respect to a submitted request by responding to the email. We will review and respond to appeals within the timeframe required by applicable state law. If the appeal is denied and the consumer's state of residence provides the right to contact the state Attorney General, we will provide instructions on how to do so. Neptune will not retaliate against a consumer for exercising privacy rights. Neptune maintains records of all privacy rights requests for a minimum of 24 months as required by applicable law.

State Law Variations: Some state laws apply only to certain entities based on revenue thresholds, data volume thresholds, or industry classifications. If a particular state privacy law does not apply to Neptune Ops based on statutory scope requirements, we will inform the consumer of non-application. We review our compliance obligations under state privacy laws at least annually and will update this Policy as new laws or amendments take effect.

Current Residents of the European Union or United Kingdom covered under GDPR: Consumers located in the European Economic Area or the United Kingdom have rights under applicable data protection law, including access, rectification, erasure, restriction of processing, objection to processing, data portability, withdrawal of consent where processing is based on consent, and the right to lodge a complaint with the local supervisory authority.

Consumers located in the EEA or UK who wish to exercise their privacy rights under applicable data protection law may submit a request using the Neptune Ops LLC Privacy Rights ACDR Form. Neptune Ops will respond to verified requests to the extent GDPR or UK GDPR applies to our processing of the consumer's personal data. Because Neptune Ops does not currently operate in or target the EEA or UK, GDPR may apply only in limited circumstances (e.g., incidental website visitor data). We will handle all such requests in good faith and in accordance with applicable law.

Information Obtained from Third Parties (GDPR Art. 14): When we process personal data we did not obtain directly from the consumer (e.g., from a third party vendor or a customer file), this Policy serves as our Article 14 notice. Where direct notice to each individual would involve disproportionate effort, we rely on this publicly available privacy notice and provide accessible mechanisms for individuals to exercise their privacy rights, including opt-out and data access, deletion, correction, and portability requests. This determination is based on factors such as the scale of datasets processed, the absence of direct contact information in certain records, and the limited impact on individuals. We maintain suppression mechanisms to ensure individuals who opt out are not reintroduced into our datasets where feasible.

To protect individuals' rights, we implement safeguards including publicly accessible privacy notices; clear mechanisms to exercise data rights (including deletion and opt-out); suppression systems to prevent re-ingestion of opted-out data; and Data Processing Agreements (DPAs) with all third-party processors handling EEA/UK personal data, as required by GDPR Art. 28.

If a consumer accesses Neptune's website or platform from outside the United States, the consumer's information may be processed in the U.S. and other countries that may not offer the same level of protection. Where required, we use appropriate safeguards (e.g., standard contractual clauses) and conduct transfer impact assessments to evaluate risks.

For transfers of EEA/UK personal data to the United States, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission and, where applicable, the UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU SCCs.

We do not transfer EEA/UK personal data to countries without an adequacy decision unless the transfer is covered by SCCs, binding corporate rules, or another appropriate safeguard under Art. 46 GDPR.

We use technical and organizational measures to protect personal information, including role-based access controls, secure session/device management, encryption in transit, environment hardening, monitoring, and audit logging of sensitive operations. No system is perfectly secure; we continually improve our safeguards.

We maintain a written information security program (WISP) that is reviewed and updated at least annually.

In the event of a data breach involving personal information, we will notify affected individuals and applicable regulatory authorities in accordance with applicable breach notification laws, including but not limited to California Civil Code §1798.82 and state breach notification statutes.

Our website and proprietary platform may use automated systems to analyze data and generate insights, including relationship mapping, influence scoring, or audience segmentation. These processes support analytics and campaign management features and are not intended to produce legal or similarly significant effects for individuals.

We do not use automated decision-making (including profiling) to make decisions about individuals that produce legal or similarly significant effects without human review.

Under GDPR Art. 22, EEA/UK individuals have the right not to be subject to solely automated decisions producing legal or similarly significant effects. To the extent our systems interact with EEA/UK data, we apply human oversight to any decision-affecting outputs.

Our websites and proprietary platform may link to third-party services. Their privacy practices are governed by their own policies.

Neptune Ops is not responsible for the privacy practices of third-party websites or services accessible via links on our websites. We encourage consumers to review the privacy policies of any third-party services they access.

Neptune Ops does not knowingly sell or share personal information of individuals under 18 years of age. Where required by law, we implement reasonable safeguards designed to prevent the processing of minors' data for advertising purposes. If we become aware that such data has been collected without appropriate authorization, we will take steps to delete it promptly.

Neptune Ops does not operate websites, services, or applications directed at children under 13 and does not knowingly collect personal information from children under 13. If we become aware that personal information of a child under 13 has been collected, we will delete it promptly in accordance with COPPA requirements.

We may update this Policy from time to time. The date on the Policy reflects the active version of the Policy. If changes materially affect how we handle personal information, we will provide additional notice.

Material changes will be communicated by posting a notice on our website homepage for at least 30 days prior to the change taking effect, or by direct notification to affected users where feasible and required by law.

Prior versions of this Policy are available upon request by contacting us at info@neptuneops.com.

To request this Policy in an alternative format (e.g., large print, screen reader-compatible format), please email info@neptuneops.com or call (800) 640-1855.

For questions regarding this Policy, contact us at: