LeadDyno Global Privacy Policy

Last Updated: June 25, 2026

1. Introduction

SureSwift Worldwide Inc. dba LeadDyno ("LeadDyno," referred to as "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy and Cookie Notice ("Policy") describes how we collect, use, disclose, and protect personal information about visitors to our website at https://www.leaddyno.com (the "Site"), users of our services, including through access to and use of our platform and/or any application (collectively, the "Services"), and others who interact with us.

This Policy applies to personal information we process as a controller (or equivalent). It does not apply to information we process on behalf of our business customers in our capacity as a service provider or data processor – that processing is governed by our agreements with those customers.

Please read this Policy carefully. By accessing or using our Site or Services, you acknowledge you have read and understood this Policy. Where required by applicable law, we will obtain your consent before collecting or using your personal information in certain ways. We are committed to making this Policy accessible to all users, including individuals with disabilities, in accordance with Web Content Accessibility Guidelines (WCAG) 2.1 Level AA. If you need this Policy in an alternative format, please contact us at privacy@sureswiftcapital.com.

2.  Quick Reference: Your Privacy Rights by Jurisdiction

Depending on where you reside, you may have specific legal rights regarding your personal information. The table below provides a summary; full details appear in Section 12.

Jurisdiction / Law Key Consumer Rights
California (CCPA / CPRA) Know; Access; Correct; Delete; Opt-Out of Sale/Sharing; Limit Sensitive Personal Information; Non-Discrimination; Shine the Light
European Union (GDPR) Access; Rectification; Erasure (Right to be Forgotten); Restriction; Data Portability; Objection; Rights re Automated Decision-Making; Lodge Complaint with Supervisory Authority
United Kingdom (UK GDPR) Same as EU GDPR; supervised by the Information Commissioner's Office (ICO)
Canada - PIPEDA / Quebec Law 25 Access; Correction; Withdrawal of Consent; Complaint to Office of the Privacy Commissioner (OPC) or Commission d'acces a l'information (CAI, Quebec)
Other U.S. States (VA, CO, CT, TX, MT, OR, UT, etc.) Access / Confirmation; Correction; Deletion; Portability; Opt-Out of Sale / Targeted Advertising / Profiling; Right to Appeal Denial

d

3.  Personal Information We Collect

We collect personal information in the following ways, depending on how you interact with us.

3.1  Information You Provide Directly

We collect personal information you voluntarily provide when you:

  • Create an account or register for the Services (e.g., name, email address, password, job title, company name);
  • Subscribe to or purchase the Services (e.g., billing name, mailing address; payment card data is processed by our payment processor and not stored on our systems);
  • Contact us for support, with inquiries, or to provide feedback (e.g., name, email address, contents of your messages);
  • Participate in surveys, promotions, webinars, or events; and/or
  • Use interactive features that require you to submit content or data.
3.2  Information Collected Automatically

When you visit our Site or use our Services, we and our technology partners automatically collect:

  • Usage Data: pages viewed, features used, links clicked, searches conducted, and in-app actions;
  • Device and Technical Data: IP address, browser type and version, operating system, device identifiers, screen resolution, and time zone;
  • Log Data: server access logs, error logs, referring URLs, date and time of requests;
  • Location Data: approximate geographic location (country, state/region) inferred from your IP address, and precise geolocation only if you provide explicit permission through your device or browser settings, where applicable; and/or
  • Cookie and Tracking Data: information collected through cookies, pixels, web beacons, and similar technologies (see Section 7).
3.3  Information from Third Parties

We may receive personal information about you from third parties, including:

  • Social login or SSO providers (e.g., Google, Microsoft) if you sign in through a third-party account;
  • Integration partners and resellers who refer customers to our Services;
  • Publicly available professional sources (e.g., professional directories, company websites); and/or
  • Data enrichment providers that supplement our records with business contact information.
3.4  CCPA/CPRA: Categories of Personal Information

The table below discloses, for purposes of the CCPA/CPRA, the categories of personal information we have collected in the preceding 12 months, the business or commercial purposes for which each category is collected, and the categories of third parties to whom each category is disclosed.

CCPA/CPRA Category Examples Collected Business Purpose(s) Disclosed To
Identifiers Name, email address, username, IP address, device ID, cookie ID Account management; Services delivery; security; analytics; marketing communications Services providers; analytics providers; advertising partners
Personal Records (Cal. Civ. Code §1798.80) Name, address, telephone number; billing information (processed via payment processor) Services delivery; billing; account management Payment processors; service providers
Commercial Information Subscription plan, purchase history, product usage, feature adoption Services delivery; analytics; customer success outreach Services providers; CRM tools
Internet / Electronic Network Activity Browsing history on Site; feature usage logs; clickstream data Security; debugging; product analytics; Services improvement Analytics providers; service providers
Geolocation Data (Non-Precise) Country, state, approximate city inferred from IP address Analytics; localization; tax compliance Analytics providers; service providers
Professional / Employment Information Job title, company name (if provided by user) Account management; personalization; communications Services providers; CRM tools
Inferences / Profile Data Usage patterns, feature preferences, account tier, engagement data Product improvement; customer success; relevant communications Services providers
Sensitive Personal Information Account login credentials. Account authentication, security, fraud prevention, and service delivery. Service providers only; no sale or sharing.

We do not knowingly collect biometric identifiers, genetic data, health or medical information, racial or ethnic origin, religious beliefs, or sexual orientation data, except as required by law or with your explicit consent.

4.  How We Use Your Personal Information

We use personal information we collect for the following purposes:

4.1  Providing and Improving the Services
  • Creating, verifying, and managing your account;
  • Processing transactions and managing billing and subscriptions;
  • Delivering, operating, and maintaining the Services and their features;
  • Providing technical support and responding to your requests;
  • Developing new features and improving existing functionality; and
  • Personalizing your experience.
4.2  Communications
  • Sending transactional and Services-related notices (e.g., account activity alerts, billing, security notifications, policy updates);
  • Responding to your inquiries and support tickets;
  • Sending marketing, promotional, and educational communications where you have provided consent, where we have an existing customer relationship and the communication relates to similar products or services (soft opt-in), or where otherwise permitted by applicable law. All marketing communications include an unsubscribe mechanism. You may opt out at any time; and
  • Sending product updates, newsletters, and invitations to events or webinars.
4.3  Security, Fraud Prevention, and Safety
  • Detecting, investigating, and preventing unauthorized access, security incidents, and fraudulent activity;
  • Protecting the security and integrity of our systems, infrastructure, and user data; and
  • Verifying identity and authenticating users.
4.4  Legal Compliance and Enforcement
  • Complying with applicable laws, regulations, subpoenas, court orders, and legal processes;
  • Enforcing our Terms of Service, acceptable use policies, and other agreements;
  • Establishing, exercising, or defending legal claims; and 
  • Maintaining required financial and operational records.
4.5  Analytics and Business Operations
  • Analyzing usage trends, Services performance, and user behavior to improve our products;
  • Conducting research, surveys, and A/B testing; and 
  • Supporting internal finance, audit, planning, and compliance functions.
4.6  Other Purposes

We may use your personal information for other purposes disclosed to you at the time of collection or with your consent.

5.  Legal Bases for Processing (GDPR and UK GDPR)

If you are located in the EEA or the UK, we process your personal data on the following legal bases under the GDPR and UK GDPR:

Legal Basis Processing Activities Additional Notes
Performance of a Contract (Art. 6(1)(b)) Account creation and management; Services delivery; billing and subscription management; technical support Processing necessary to fulfill our contractual obligations to you as a Services user
Legitimate Interests (Art. 6(1)(f)) Fraud prevention and security; product analytics and improvement; direct marketing to existing customers; enforcing our terms; Services update communications We have conducted a Legitimate Interests Assessment (LIA) for each activity, which is available upon request. Our interests include operating secure, reliable Services; communicating about relevant products; and protecting against fraud. You have the right to object (see Section 12.2).
Legal Obligation (Art. 6(1)(c)) Tax and accounting compliance; responding to lawful authority requests; maintaining legally required records Required by EU/UK law or the laws of our jurisdiction


Special Category Data (Art. 9 GDPR): We do not intentionally collect special categories of personal data (data revealing racial/ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data for unique identification, health data, or data about sex life or sexual orientation) unless required by law or with your explicit consent. If we ever process such data, we will identify an appropriate Article 9 condition and notify you.

6.  How We Share Your Personal Information

We do not sell your personal information for monetary or other valuable consideration. We may share personal information as described below.

6.1  Services Providers and Data Processors

We engage third-party companies to perform services on our behalf, including:

  • Cloud infrastructure and hosting providers;
  • Payment processors (subject to PCI-DSS compliance; they handle billing data independently);
  • Customer relationship management (CRM) and marketing automation platforms;
  • Customer support and helpdesk tools;
  • Analytics, error monitoring, and performance measurement tools;
  • Email delivery and communications services; and
  • Security, identity verification, and fraud prevention services.

Service providers are authorized to use personal information only as necessary to provide services to us and are bound by contractual data protection obligations. Under GDPR/UK GDPR, these parties act as data processors and we execute Data Processing Agreements (DPAs) with each.

6.2  Business Partners 

We may share information with marketing consultants, technology integration partners, resellers and/or referral partners to facilitate the delivery of the Services or complementary offerings, subject to contractual obligations requiring those partners to protect personal information in a manner consistent with this Policy. Such sharing will be disclosed at the time of collection or in a supplemental notice.

6.3  Analytics and Advertising

We use third-party analytics services and, where applicable, advertising networks. These providers may receive device identifiers, usage data, and demographic inferences. Specific tools are identified in Section 7 (Cookies). You may opt out as described in Sections 8 and 13.

6.4  Corporate Transactions

If we undergo a merger, acquisition, asset sale, reorganization, dissolution, or similar transaction, personal information may be transferred to a successor entity as part of that transaction, subject to appropriate confidentiality protections. The successor entity will be bound by this Policy with respect to previously collected personal information until it provides its own notice of any changes. We will provide notice to affected individuals prior to or promptly following such a transaction: (a) for EEA/UK residents, the new controller will notify you of its identity, contact details, and any new purposes within one month of the transfer in accordance with GDPR Articles 13/14; (b) for Quebec residents, we will conduct a Privacy Impact Assessment (PIA/EFVP) prior to the transfer as required by Quebec Law 25 and notify the Commission d'acces a l'information (CAI) where applicable; (c) for California residents, we will provide notice and honor prior opt-out preferences under the CCPA/CPRA; and (d) for Canadian residents under PIPEDA, the successor organization will be bound by existing consent obligations and individuals will be notified of the change. Where required by applicable law, we will seek consent or provide an opt-out opportunity before any material change in the use of personal information resulting from such a transaction.

6.5  Legal Requirements and Protection of Rights

We may disclose personal information if we reasonably believe that disclosure is necessary to: (a) comply with applicable law, regulation, legal process, or enforceable governmental request; (b) enforce our Terms of Service or other agreements; (c) protect the rights, property, or safety of us, our users, or the public where there is a credible threat; or (d) detect, prevent, or address fraud, security incidents, or technical issues.

6.6  CCPA/CPRA — Sale and Sharing Disclosure

Under the CCPA/CPRA, certain data disclosures to advertising and analytics partners may qualify as a "sale" or "sharing" for cross-context behavioral advertising even without a direct monetary exchange.

We may "share" personal information (such as cookie identifiers and usage data) with advertising partners for cross-context behavioral advertising. California residents may opt out via the "Do Not Sell or Share My Personal Information" link on our homepage or by submitting a request as described in Section 12.5. We honor Global Privacy Control (GPC) signals. We do not sell or share the personal information of consumers known to be under 16 years of age without opt-in consent.

7.  Cookies and Tracking Technologies (Cookie Policy)

7.1  What Are Cookies?

Cookies are small data files stored on your device when you visit a website. We also use related tracking technologies including web beacons (clear GIFs or pixel tags), HTML5 local storage, and software development kits (SDKs). We use the term "cookies" throughout this Section to refer to all such technologies collectively.

7.2  Types of Cookies We Use
Category Purpose Examples / Tools Consent Required? Duration
Strictly Necessary Essential for the Site and Services to function. Cannot be disabled without breaking core functionality. Google reCAPTCHA, session management, authentication tokens, CSRF protection No - exempt from consent requirements; required for operation Session to persistent
Functional / Preference Remember preferences and settings to enhance the user experience. Figma application settings, YouTube interface preferences Yes (EU/UK/Canada); opt-out available for other jurisdictions Session to persistent
Analytics / Performance Understand how users interact with the Site and Services, measure performance, and improve functionality. Google Analytics, HubSpot, Zendesk, Calendly, PostHog, Sprig, Statsig, Optibase Yes (EU/UK/Canada); opt-out available for other jurisdictions Session to persistent
Marketing / Advertising Deliver relevant advertising, measure campaign performance, and support attribution and remarketing. Google Ads, Meta Pixel, LinkedIn Insight Tag, Microsoft Bing Ads, YouTube, LeadDyno Affiliate Tracking Yes (EU/UK/Canada); Opt-out / GPC honored where required by law Session to persistent
7.3  First-Party vs. Third-Party Cookies

First-party cookies are set directly by us. Third-party cookies are set by third-party services we integrate into our Site (e.g., analytics and advertising providers). Third parties may use cookies to track your activity across different websites and over time. While we select and configure the third-party services deployed on our Site, the data collected by those third parties is also subject to their own privacy policies. We encourage you to consult each provider's privacy policy for more information about their data practices, which can be reviewed here:

Cookie / Service Provider Purpose Category Duration
1 calendly.com Maintain and identify the user session to enable secure Calendly scheduling flows and related authentication on embedded pages. Marketing session
__cf_bm Cloudflare Bot management and security protection cookie Strictly Necessary 30 minutes
__gtm_campaign_url Google Tag Manager Stores campaign and referrer URL for signup attribution Advertising Persistent
__hssc HubSpot Keeps track of sessions to determine if HubSpot should increment the session number. Analytics 30 minutes
__hssrc HubSpot Determines if the visitor has restarted their browser. Analytics session
__hstc HubSpot Used for website analytics to track visitors and sessions Analytics 2 years
__Secure-ROLLOUT_TOKEN Google Registers a unique ID to keep statistics of what videos from YouTube the user has seen. Marketing 180 days
__Secure-YNID Google It's a YouTube cookie used to enhance user experience by storing video player preferences and aiding in secure log-ins and spam detectio Essential 180 days
__stripe_mid Stripe Fraud prevention and device identification during billing Strictly Necessary 1 year
__stripe_sid Stripe Session identifier used for payment fraud prevention Strictly Necessary 30 minutes
_ab calendly.com Used in connection with access to admin. Essential session
_cache calendly.com Stores cached scheduling and preference data needed to load Calendly widgets and pages quickly and keep users signed in. Marketing persistent
_cfuvid Cloudflare Security and rate-limiting identifier Strictly Necessary Session
_clck Microsoft Clarity Persists Clarity user ID and session replay preferences Analytics 1 year
_clsk Microsoft Clarity Connects page views into a single Clarity session recording Analytics 1 day
_fbp Meta Used by Facebook to deliver a series of advertisement products such as real time bidding from third party advertisers Marketing persistent
_ga Google Analytics Calculates visitor data and tracks site usage for the analytics report. Analytics 1 year 1 month 4 days
_ga_K4P5RLZ8KR Google Analytics Stores and counts page views for a specific Google Analytics 4 property. Analytics 1 year 1 month 4 days
_ga_Z8EST880Z8 Google Analytics Stores and counts page views for a specific Google Analytics 4 property. Analytics 1 year 1 month 4 days
_gcl_au Google Analytics Used by Google Ads to take information from ad clicks and store it in a first-party cookie so that conversions can be attributed outside the landing page Marketing 3 months
_gcl_ls Google Analytics Used by Google AdSense to understand user interaction with the website by generating analytical data Marketing 90 days
_gid Google Analytics Distinguishes users for analytics reporting Analytics 24 hours
_GRECAPTCHA Google reCAPTCHA Risk analysis and spam prevention for forms Strictly Necessary 6 months
_leaddyno_session LeadDyno Maintains authenticated user session, CSRF protection, flash messages, and login state Strictly Necessary Session / 24 hours
_mf calendly.com Maintain a temporary session identifier to recognize the user and support secure scheduling during the visit. Marketing session
_uetsid Microsoft Advertising (Bing UET) Session identifier for advertising attribution Advertising 1 day
_uetvid Microsoft Advertising (Bing UET) Visitor identifier used for advertising attribution and retargeting Advertising 13 months
affiliates_only LeadDyno Stores affiliate-only reporting view preference Functional Session
affiliates_tab_daterange LeadDyno Remembers selected date range on affiliate dashboard Functional Session
ajs_anonymous_id calendly.com Counts the number of unique visits to the site by tracking anonymous visitors. Analytics 1 year
ajs_anonymous_id Segment Anonymous visitor identifier for analytics tracking Analytics 1 year
ajs_user_id calendly.com Tracks visitor usage and events for Calendly integrations. Analytics 1 year
ajs_user_id Segment Stores identified user ID after login Analytics 1 year
hubspotutk HubSpot Keeps track of a visitor identity. Analytics 2 years
id Google This cookie is used for targeting, analyzing and optimisation of ad campaigns in DoubleClick/Google Marketing Suite Marketing 2 months
initialPathName Figma Store the initial URL path a user visits so the app can restore or adapt navigation flows during the current session. Personalization session
lastExternalReferrer Meta Detects how the user reached the website by registering their last URL-address Marketing persistent
lastExternalReferrerTime Meta Detects how the user reached the website by registering their last URL-address Marketing persistent
LD_APP_SID LeadDyno App session identifier used to track signed-in merchant sessions Functional 30 minutes
LD_H LeadDyno Integrity hash linking visitor activity to lead records Functional Persistent
LD_L LeadDyno Stores identified lead information for affiliate attribution (may contain email address) Advertising Persistent
LD_R LeadDyno Stores referring URL for affiliate attribution tracking Advertising Session
LD_S Google Analytics Stores internal state needed to periodically send visit and lead data for affiliate attribution and marketing analytics. Marketing 5 minutes
LD_S LeadDyno Stores visit session timestamp for affiliate tracking Analytics Session
LD_T Google Analytics Store a unique visitor ID so affiliate clicks, leads and purchases can be linked and commissions attributed. Marketing 100 years
LD_T LeadDyno Visitor identifier used for affiliate and referral attribution Advertising Persistent
LD_U Google Analytics Track and attribute affiliate marketing visits, including initial landing page, to measure campaign performance and payouts. Marketing 13 months
LD_U LeadDyno Stores last visited URL for tracked visitor session Analytics Session
li_adsId LinkedIn Stores a unique visitor identifier used by LinkedIn Ads for conversion tracking and audience matching across sites using the LinkedIn Insight Tag Marketing 30 days
optibaseCachedInitializeResponse-testsfalse-conversionsfalse optibase.io Stores initialization parameters for A/B testing and conversion tracking. Analytics 30 days
optibaseCachedInitializeResponse-teststrue-conversionstrue optibase.io Stores initialization parameters indicating active tests and active conversions. Analytics 30 days
ph_phc_5bpupckWJHmhrnZoZJ8m6EZyAjqL7SMZVClK66wP33M_posthog PostHog Used by PostHog Analytics to get insights into user behavior and track events. Analytics Configurable by customer, default 7 years for events
ph_phc_5bpupckWJHmhrnZoZJ8m6EZyAjqL7SMZVClK66wP33M_primary_window_exists PostHog Used by PostHog Analytics to get insights into user behavior and track events. Analytics Configurable by customer, default 7 years for events
ph_phc_5bpupckWJHmhrnZoZJ8m6EZyAjqL7SMZVClK66wP33M_window_id PostHog Maps events to a specific browser window or tab. Analytics session
rc::a Google Used by Google reCAPTCHA to store internal session analytics and risk scoring data for bot detection Essential Persistent in browser local storage until manually cleared
rc::c Google Used by Google reCAPTCHA to store challenge state and token data Essential Session in local browser storage
reportings_affiliate_daterange LeadDyno Stores reporting date range filter preference Functional Session
reportings_affiliate_status_filter LeadDyno Stores affiliate status filter preference Functional Session
sprig.anon.env.vid.map Sprig Maps anonymous visitor IDs for in-product surveys and product research. Analytics Persistent in browser local storage until manually cleared
sprig.disableReplayRecording Sprig Stores user preferences regarding session replay recording. Analytics Persistent in browser local storage until manually cleared
STATSIG_LOCAL_STORAGE_STABLE_ID Statsig Stores a stable device identifier for Statsig feature flag and experiment assignment Analytics Persistent in browser local storage until manually cleared
statsig.session_id.184042872 Statsig Statsig SDK cache data for feature gates, experiments, and evaluation results Analytics Persistent in browser local storage until manually cleared
statsig.stable_id.184042872 Statsig Statsig SDK cache data for feature gates, experiments, and evaluation results Analytics Persistent in browser local storage until manually cleared
statsig.stable_id.501823423 Statsig Statsig SDK cache data for feature gates, experiments, and evaluation results Analytics Persistent in browser local storage until manually cleared
userleap.ids Sprig Maps anonymous visitor IDs to Sprig environments for consistent user targeting across sessions for in-product surveys Analytics Persistent in browser local storage until manually cleared
VISITOR_INFO1_LIVE YouTube Used as a unique identifier to track viewing of videos and estimate bandwidth usage Marketing 5 months
VISITOR_PRIVACY_METADATA YouTube Stores visitor privacy settings and consent information for personalized advertising Marketing 5 months
YSC YouTube Used to track user interactions and measure advertising effectiveness for embedded videos Marketing session
yt-icons-last-purged youtube Store a timestamp of when YouTube icon assets were last cleared so the embedded player can load interface graphics efficiently and consistently. Personalization persistent
ytidb::LAST_RESULT_ENTRY_KEY YouTube Stores the last search result entry that was clicked by the user to improve the user experience by providing more relevant search results in the future Marketing Persistent in browser local storage until manually cleared
ZD-buid Zendesk Widget Unique browser identifier for the Zendesk chat widget. Analytics 1 year
ZD-suid Zendesk Widget Unique session identifier for the Zendesk chat widget. Analytics 20 mins

7.4  Managing Your Cookie Preferences

You have several options to control or opt out of cookies:

  • Cookie Consent Banner / Consent Management Platform (CMP): When you first visit our Site, a cookie consent banner will appear. You may accept all cookies, reject all non-essential cookies, or customize your preferences by category. Rejecting non-essential cookies is as easy as accepting them - we do not use pre-checked boxes or dark patterns. Your consent preferences are recorded and can be verified for compliance purposes. You can update your preferences at any time by clicking "Cookie Settings" at the bottom left of our website. If you do not interact with the banner, no non-essential cookies will be placed.
  • Browser Controls: Most browsers allow you to block or delete cookies through browser settings. Restricting cookies may affect the functionality of our Site or Services. Visit your browser's help documentation for instructions.
  • Industry Opt-Out Tools: Opt out of interest-based advertising at: optout.networkadvertising.org (NAI); optout.aboutads.info (DAA); youronlinechoices.eu (EDAA, for EU/UK users).
  • Google Analytics Opt-Out: Install the Google Analytics browser add-on at tools.google.com/dlpage/gaoptout.
7.5  Global Privacy Control (GPC)

We recognize and honor the Global Privacy Control (GPC) opt-out preference signal. If your browser or device transmits a GPC signal, we will treat it as a request to opt out of the "sale" and "sharing" of your personal information under applicable law, including for California residents under CCPA/CPRA and for residents of other states that require GPC recognition. Honoring GPC does not disable strictly necessary cookies.

8.  Data Retention

We retain personal information for as long as necessary to fulfill the purposes described in this Policy, subject to any longer retention period required by applicable law. Our retention criteria include:

  • Account data: retained for the duration of your active account, plus 24 months thereafter to allow account reactivation and resolve outstanding billing or legal matters;
  • Transaction and billing records: retained for 7 years as required by tax, accounting, and financial regulations;
  • Support and communications data: retained for 36 months after closure of the inquiry or account;
  • Cookie and analytics data: retained per the lifespan set for each cookie type (see Section 7.2), or as configured in our analytics platforms (typically 13–26 months);
  • Marketing data: retained until you opt out or unsubscribe, plus a brief period to process your request; and
  • Legal hold data: retained as long as necessary to comply with legal obligations, resolve disputes, and enforce our agreements.

When personal information is no longer needed for any of the above purposes, we securely delete or irreversibly anonymize it. Where immediate deletion is technically infeasible (e.g., in backup archives), we isolate the data from further use until deletion is possible.

9.  International Data Transfers

LeadDyno is based in Edina, Minnesota. Our servers, systems, and service providers may be located in the United States and Canada, among other countries. If you access the Services from outside the United States, your personal information may be transferred to, stored in, and processed in the United States and other countries that may not provide the same level of data protection as your country of residence.

9.1  Transfers from the EEA

For transfers of personal data from the EEA to countries not recognized by the European Commission as providing adequate protection, we rely on European Commission Standard Contractual Clauses (SCCs) pursuant to Commission Implementing Decision (EU) 2021/914 (using Controller-to-Processor [Module 2] or Controller-to-Controller [Module 1] clauses as applicable). Copies of our SCCs are available upon request at privacy@sureswiftcapital.com

9.2  Transfers from the United Kingdom

For transfers of personal data from the UK to countries not recognized as adequate by the UK Secretary of State, we rely on the UK International Data Transfer Agreement (IDTA) issued by the Information Commissioner’s Office, or the UK Addendum to the EU Standard Contractual Clauses (as applicable). Copies are available upon request at privacy@sureswiftcapital.com.

9.3  Transfers from Canada (Including Quebec)

For cross-border transfers of personal information from Canada, we implement contractual safeguards to ensure recipients provide a comparable level of protection. For personal information from Quebec, we conduct a Privacy Impact Assessment (PIA / Evaluation des facteurs relatifs à la vie privée — EFVP) prior to any cross-border communication, as required by Quebec Law 25.

10.  Data Security

We implement appropriate technical and organizational security measures designed to protect your personal information against unauthorized access, disclosure, alteration, destruction, or loss, including:

  • Encryption of data in transit using TLS 1.2 or higher;
  • Encryption of sensitive data at rest using industry-standard algorithms;
  • Role-based access controls and the principle of least privilege;
  • Multi-factor authentication (MFA) required for administrative system access;
  • Regular security testing, vulnerability assessments, and penetration testing;
  • Security due diligence of service providers, with Data Processing Agreements (DPAs) for all vendors handling personal data; and
  • Employee and contractor training on data protection, security awareness, and confidentiality obligations.

No security measure is completely impenetrable. If you believe your account or personal information has been compromised, please contact us immediately at privacy@sureswiftcapital.com. In the event of a personal data breach, we will notify affected individuals and relevant regulatory authorities as required by applicable law, including within 72 hours of becoming aware of a reportable breach under GDPR/UK GDPR, and within the timeframes required by applicable U.S. state breach notification laws and Canadian privacy legislation (including Quebec Law 25, which requires notification to the CAI and affected individuals when there is a risk of serious injury).

11.  Children's Privacy

Our Site and Services are not directed to children under the age of 13 (or under 16 where required by applicable law, such as the GDPR) and we do not knowingly collect personal information from children without verified parental or guardian consent. If you are a parent or guardian and believe your child has provided us with personal information without your consent, please contact us immediately at privacy@sureswiftcapital.com and we will promptly delete that information.

We comply with the Children's Online Privacy Protection Act (COPPA) in the United States, the UK Children's Code (Age Appropriate Design Code), applicable GDPR protections for children's personal data, and analogous Canadian requirements. Where we become aware that we have collected personal information from a child without appropriate consent, we will delete it as soon as practicable.

12.  Your Privacy Rights and How to Exercise Them

12.1  California Residents — CCPA/CPRA

If you are a California resident, you have the following rights under the California Consumer Privacy Act (as amended by the California Privacy Rights Act) (“CCPA/CPRA”):

Right What It Means
Right to Know (Categories) Request disclosure of: the categories of personal information we have collected about you; categories of sources; our business/commercial purposes for collecting it; categories of third parties we disclosed it to; and the specific pieces of personal information we hold about you.
Right to Delete Request deletion of personal information we have collected, subject to statutory exceptions (e.g., completing an ongoing transaction, security purposes, legal obligations, fraud detection).
Right to Correct Request that we correct inaccurate personal information we maintain about you.
Right to Opt-Out of Sale / Sharing Opt out of the "sale" of personal information or its "sharing" for cross-context behavioral advertising.
Right to Limit Use of Sensitive PI Request that we limit our use and disclosure of sensitive personal information to purposes expressly permitted by the CPRA (e.g., providing the Services you requested).
Right to Non-Discrimination We will not deny goods or services, charge different prices, or provide a different quality of service because you exercised your CCPA/CPRA rights.
Shine the Light (Cal. Civ. Code §1798.83) Once per calendar year, California residents may request a list of categories of personal information we have shared with third parties for their direct marketing purposes during the prior calendar year. Email privacy@sureswiftcapital.com with subject line "Shine the Light Request."

12.2  EEA and UK Residents — GDPR / UK GDPR

If you are located in the EEA or UK, you have the following rights under the GDPR and/or UK GDPR:

Right What It Means
Right of Access (Art. 15) Obtain confirmation of whether we process your personal data and, if so, receive a copy of that data together with prescribed supplementary information (including purposes, categories, recipients, retention period, and applicable rights).
Right to Rectification (Art. 16) Request correction of inaccurate personal data and completion of incomplete personal data.
Right to Erasure / Right to be Forgotten (Art. 17) Request deletion of your personal data where: it is no longer necessary for its original purpose; you withdraw consent (and there is no other legal basis); you successfully object (see below); or the data has been unlawfully processed.
Right to Restriction (Art. 18) Request suspension of processing in certain circumstances (e.g., while we verify data accuracy or assess an objection).
Right to Data Portability (Art. 20) Receive personal data you provided to us in a structured, commonly used, machine-readable format, and transmit it to another controller (applies where processing is consent- or contract-based and is automated).
Right to Object (Art. 21) Object to processing based on legitimate interests or direct marketing at any time. For direct marketing, we will always honor your objection immediately. For other legitimate interest processing, we will comply unless we can demonstrate compelling overriding legitimate grounds.
Rights re Automated Decision-Making (Art. 22) Not to be subject to decisions based solely on automated processing (including profiling) that produce legal or similarly significant effects on you. We do not use solely automated decision-making that produces legal or similarly significant effects on individuals.
Right to Withdraw Consent Withdraw consent at any time (where processing is consent-based) without affecting the lawfulness of prior processing.
Right to Lodge a Complaint Lodge a complaint with the supervisory authority in your EU Member State of habitual residence, place of work, or where the alleged infringement occurred. UK residents may contact the ICO at ico.org.uk or 0303 123 1113.
12.3  Canadian Residents — PIPEDA and Quebec Law 25

If you reside in Canada, you have the following rights:

  • Right of Access: Request access to the personal information we hold about you and information about how it has been and is being used and disclosed;
  • Right to Correction: Request correction of personal information that is inaccurate or incomplete;
  • Right to Withdraw Consent: Withdraw consent to our collection, use, or disclosure of personal information, subject to legal or contractual restrictions and reasonable notice. Withdrawal may limit our ability to provide certain Services;
  • Right to File a Complaint: File a complaint with the Office of the Privacy Commissioner of Canada (OPC) at priv.gc.ca. Quebec residents may also contact the Commission d'accès à l'information (CAI) at www.cai.gouv.qc.ca

Quebec Law 25 — Specific Disclosures:

  • Our designated Privacy Officer is: Julien Francois, Chief Financial Officer, privacy@sureswiftcapital.com;
  • We conduct Privacy Impact Assessments (PIAs / EFVPs) prior to any cross-border communication of personal information from Quebec;
  • We do not use solely automated processing that produces legal or significant effects on individuals.
12.4  Other U.S. State Residents

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Texas (TDPSA), Montana (MCDPA), Oregon (OCPA), Utah (UCPA), and other states with comprehensive privacy statutes have the rights set out below. Please note that not all rights are available in every state – for example, Utah does not provide a right to correction. 

Right What It Means
Right of Access / Confirmation Confirm whether we process your personal data and obtain a copy of that data.
Right to Correction Request correction of inaccuracies in your personal data.
Right to Deletion Request deletion of personal data you have provided to us or that we have obtained about you.
Right to Portability Obtain personal data in a portable, readily usable format.
Right to Opt-Out Opt out of: (a) the sale of personal data; (b) targeted advertising; and (c) profiling in furtherance of solely automated decisions producing legal or similarly significant effects.
Right to Appeal If we decline your request, you may appeal by emailing privacy@sureswiftcapital.com with subject line "Privacy Rights Appeal - [Name Your State]." We will respond within 45 to 60 days as required by your state. If your appeal is denied, you may contact your State Attorney General.

Nevada Residents (SB 220): Nevada law gives certain residents the right to opt out of the sale of "covered information." We do not "sell" covered information as defined under Nevada law. Contact privacy@sureswiftcapital.com with questions.

12.5  How to Submit a Privacy Rights Request

To exercise any rights described in this Section 12, please use one of the following methods. All request mechanisms are designed to be accessible in accordance with Web Content Accessibility Guidelines (WCAG) 2.1 Level AA. If you need assistance submitting a request due to a disability or require this Policy in an alternative format (e.g., large print, audio, or screen-reader-compatible), please contact us at privacy@sureswiftcapital.com with the subject line: "Privacy Rights Request" or 507-323-9225 and we will provide reasonable accommodations.

12.6  Verification of Identity

To protect your privacy and security, we must verify your identity before fulfilling your request. For account holders, we typically verify through account credentials. For non-account holders or where additional verification is needed, we may request information to reasonably identify you. We use verification information solely to process your request.

12.7  Authorized Agents

You may authorize an agent to submit requests on your behalf. We require written authorization (or a valid power of attorney) and may verify directly with you. California residents may designate an authorized agent by providing the agent with signed, written permission to act on their behalf.

12.8  Response Timeframes
  • California (CCPA/CPRA): 45 calendar days from receipt; extendable by 45 days with notice;
  • EEA/UK (GDPR/UK GDPR): 30 calendar days from receipt; extendable by 2 months with notice in complex cases;
  • Canada (PIPEDA): 30 calendar days from receipt; extendable where permitted;
  • Virginia, Colorado, Connecticut, Oregon: 45 days; extendable by 45 days with notice; Montana: 45 days; extendable by 15 days with notice;
  • Texas, Indiana: 45 days; extendable; and
  • Utah: 45 days; extendable by 45 days with notice.
12.9  Right to Non-Discrimination

We will not discriminate against you for exercising your privacy rights. We will not deny goods or services, charge different prices, or provide a different quality of service because you exercised any right under this Policy, except as permitted by law.

13.  Third-Party Links and Services

Our Site and Services may contain links to third-party websites, platforms, or integrations not operated by us. This Policy does not apply to those third-party services and we are not responsible for their privacy practices. We encourage you to review the privacy policies of any third-party services you access.

Where our Services integrate with third-party platforms (e.g., accounting, CRM, or productivity software), we recommend reviewing those providers' privacy policies to understand how they handle your personal information.

14.  Changes to This Privacy Policy

We may update this Policy periodically to reflect changes in our data practices, technology, or applicable law. When we make material changes, we will:

  • Update the "Effective Date" and "Last Updated" dates at the top of this Policy;
  • Post a prominent notice on our Site and/or within the Services;
  • Where required by applicable law, notify you by email or a notification within the Services prior to the change taking effect, and/or obtain your consent.

We encourage you to review this Policy periodically. Your continued use of the Site or Services after changes become effective constitutes acceptance of the updated Policy to the extent permitted by applicable law. Where applicable law (such as the GDPR or UK GDPR) requires affirmative consent for material changes, we will obtain such consent before the changes take effect. If you do not agree with the updated Policy, you should discontinue use of the Services.

15.  Who We Are and How to Contact Us

For questions, concerns, requests, or complaints about this Policy or our privacy practices, please contact us:

Legal Entity Name: SureSwift Worldwide Inc. dba LeadDyno
Website: https://www.leaddyno.com
Mailing: 5201 Eden Avenue, Suite 300
Edina, MN 55436
Attn: Privacy Officer
Privacy Contact Email: privacy@sureswiftcapital.com
Quebec Privacy Officer: Privacy Officer is: Julien Francois, Chief Financial Officer, privacy@sureswiftcapital.com


15.1  Supervisory Authorities

You also have the right to contact your relevant data protection supervisory authority:

  • EU Residents: The supervisory authority in your EU Member State of habitual residence, place of work, or where the alleged infringement occurred;
  • UK Residents: Information Commissioner's Office (ICO) – www.ico.org.uk | 0303 123 1113 | Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF;
  • Canadian Residents (Federal): Office of the Privacy Commissioner of Canada (OPC) – www.priv.gc.ca;
  • Quebec Residents: Commission d'acces a l'information (CAI) – www.cai.gouv.qc.ca;
  • California Residents: California Privacy Protection Agency (CPPA) – www.cppa.ca.gov; and  
  • Other U.S. State Residents: Your applicable State Attorney General's office.

Appendix A:
Key Definitions

Term Definition
CCPA/CPRA California Consumer Privacy Act (Cal. Civ. Code §1798.100 et seq.), as amended by the California Privacy Rights Act (Prop. 24), fully effective January 1, 2023
Controller The entity that determines the purposes and means of processing personal data
COPPA Children's Online Privacy Protection Act (15 U.S.C. §§6501-6506)
EEA European Economic Area: the 27 EU member states plus Iceland, Liechtenstein, and Norway
GDPR EU General Data Protection Regulation (EU) 2016/679
GPC Global Privacy Control: a browser/device opt-out preference signal for data sale and sharing
IDTA International Data Transfer Agreement: UK mechanism for compliant international personal data transfers, issued by the ICO
LIA Legitimate Interests Assessment: a documented balancing test performed under GDPR Art. 6(1)(f)
Personal Information / Personal Data Information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked to an identified or identifiable natural person
PIA / EFVP Privacy Impact Assessment / Évaluation des facteurs relatifs à la vie privée: assessment required under Quebec Law 25 before cross-border transfers
PIPEDA Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 (Canada)
Processor / Service Provider An entity that processes personal data on behalf of and under the instructions of a controller
Quebec Law 25 Act to Modernize Legislative Provisions Respecting the Protection of Personal Information (S.Q. 2021, c. 25)
SCCs Standard Contractual Clauses: European Commission-approved contractual safeguards for international data transfers (Commission Implementing Decision (EU) 2021/914)
Sensitive Personal Information CPRA: SSN, driver's license/passport numbers, financial account credentials, precise geolocation, racial/ethnic origin, religious beliefs, union membership, health data, biometric identifiers, sexual orientation, private communications. GDPR Art. 9: racial/ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, sex life or sexual orientation.
UK GDPR The GDPR as retained in UK domestic law by the European Union (Withdrawal) Act 2018 and the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019

Appendix B:
State-Specific Supplemental Disclosures

B.1  Colorado (Colorado Privacy Act – CPA, C.R.S. §6-1-1301 et seq.)

Colorado residents have rights of access, correction, deletion, portability, and opt-out of sale, targeted advertising, and profiling. To appeal a denied request, email privacy@sureswiftcapital.com with "Colorado Privacy Appeal" in the subject line within 45 days of our response. We will respond to the appeal within 45 days. If your appeal is denied, you may contact the Colorado Attorney General at coag.gov/file-complaint.

B.2  Connecticut (Connecticut Data Privacy Act – CTDPA, Conn. Gen. Stat. §42-515 et seq.)

Connecticut residents have rights of access, correction, deletion, portability, and opt-out. To appeal a denied request, email privacy@sureswiftcapital.com with "Connecticut Privacy Appeal" in the subject line. We will respond within 60 days. If denied, contact the Connecticut Attorney General at ct.gov/ag.

B.3  Virginia (Consumer Data Protection Act – VCDPA, Va. Code §§59.1-575 et seq.)

Virginia residents have rights of access, correction, deletion, portability, and opt-out. To appeal, email privacy@sureswiftcapital.com with "Virginia Privacy Appeal" in the subject line within 45 days of our response; we will respond within 60 days. If denied, contact the Virginia Attorney General at oag.state.va.us.

B.4  Texas (Texas Data Privacy and Security Act – TDPSA, Tex. Bus. & Com. Code §541 et seq.)

Texas residents have rights of access, correction, deletion, portability, and opt-out. To appeal, email privacy@sureswiftcapital.com with "Texas Privacy Appeal" in the subject line. We will respond within 45 days. If denied, contact the Texas Attorney General at www.texasattorneygeneral.gov.

B.5  Oregon (Oregon Consumer Privacy Act – OCPA, Or. Rev. Stat. §646A.570 et seq.)

Oregon residents have rights of access, correction, deletion, portability, and opt-out. To appeal, email privacy@sureswiftcapital.com with "Oregon Privacy Appeal" in the subject line. If denied, contact the Oregon Attorney General at doj.state.or.us.

B.6  Montana (Montana Consumer Data Privacy Act – MCDPA, Mont. Code Ann. §30-14-3201 et seq.)

Montana residents have rights of access, correction, deletion, portability, and opt-out. To appeal a denied request, email privacy@sureswiftcapital.com with "Montana Privacy Appeal" in the subject line; we will respond within 45 days.

B.7  Utah (Utah Consumer Privacy Act –UCPA, Utah Code §13-61-101 et seq.)

Utah residents have rights of access, deletion, portability, and opt-out of sale of personal data and targeted advertising. Response time: 45 days, extendable by 45 days with notice. Submit requests using the methods in Section 12.5.

B.8  Delaware, Indiana, Iowa, Tennessee, and Other Enacting States

We will comply with all enacted comprehensive U.S. state privacy laws as they come into effect, including but not limited to laws in Delaware, Indiana, Iowa, Tennessee, New Hampshire, New Jersey, Nebraska, Kentucky, Maryland, Minnesota, and Rhode Island. If your state has enacted such a law and it covers our processing activities, you may exercise your applicable rights using the methods described in Section 12.5. Contact us at privacy@sureswiftcapital.com and we will respond in accordance with your applicable rights and the timeframes required by your state's law.

1. Introduction

SureSwift Worldwide Inc. dba LeadDyno ("LeadDyno," referred to as "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy and Cookie Notice ("Policy") describes how we collect, use, disclose, and protect personal information about visitors to our website at https://www.leaddyno.com (the "Site"), users of our services, including through access to and use of our platform and/or any application (collectively, the "Services"), and others who interact with us.

This Policy applies to personal information we process as a controller (or equivalent). It does not apply to information we process on behalf of our business customers in our capacity as a service provider or data processor – that processing is governed by our agreements with those customers.

Please read this Policy carefully. By accessing or using our Site or Services, you acknowledge you have read and understood this Policy. Where required by applicable law, we will obtain your consent before collecting or using your personal information in certain ways. We are committed to making this Policy accessible to all users, including individuals with disabilities, in accordance with Web Content Accessibility Guidelines (WCAG) 2.1 Level AA. If you need this Policy in an alternative format, please contact us at privacy@sureswiftcapital.com.

2.  Quick Reference: Your Privacy Rights by Jurisdiction

Depending on where you reside, you may have specific legal rights regarding your personal information. The table below provides a summary; full details appear in Section 12.

Jurisdiction / Law Key Consumer Rights
California (CCPA / CPRA) Know; Access; Correct; Delete; Opt-Out of Sale/Sharing; Limit Sensitive Personal Information; Non-Discrimination; Shine the Light
European Union (GDPR) Access; Rectification; Erasure (Right to be Forgotten); Restriction; Data Portability; Objection; Rights re Automated Decision-Making; Lodge Complaint with Supervisory Authority
United Kingdom (UK GDPR) Same as EU GDPR; supervised by the Information Commissioner's Office (ICO)
Canada - PIPEDA / Quebec Law 25 Access; Correction; Withdrawal of Consent; Complaint to Office of the Privacy Commissioner (OPC) or Commission d'acces a l'information (CAI, Quebec)
Other U.S. States (VA, CO, CT, TX, MT, OR, UT, etc.) Access / Confirmation; Correction; Deletion; Portability; Opt-Out of Sale / Targeted Advertising / Profiling; Right to Appeal Denial

d

3.  Personal Information We Collect

We collect personal information in the following ways, depending on how you interact with us.

3.1  Information You Provide Directly

We collect personal information you voluntarily provide when you:

  • Create an account or register for the Services (e.g., name, email address, password, job title, company name);
  • Subscribe to or purchase the Services (e.g., billing name, mailing address; payment card data is processed by our payment processor and not stored on our systems);
  • Contact us for support, with inquiries, or to provide feedback (e.g., name, email address, contents of your messages);
  • Participate in surveys, promotions, webinars, or events; and/or
  • Use interactive features that require you to submit content or data.
3.2  Information Collected Automatically

When you visit our Site or use our Services, we and our technology partners automatically collect:

  • Usage Data: pages viewed, features used, links clicked, searches conducted, and in-app actions;
  • Device and Technical Data: IP address, browser type and version, operating system, device identifiers, screen resolution, and time zone;
  • Log Data: server access logs, error logs, referring URLs, date and time of requests;
  • Location Data: approximate geographic location (country, state/region) inferred from your IP address, and precise geolocation only if you provide explicit permission through your device or browser settings, where applicable; and/or
  • Cookie and Tracking Data: information collected through cookies, pixels, web beacons, and similar technologies (see Section 7).
3.3  Information from Third Parties

We may receive personal information about you from third parties, including:

  • Social login or SSO providers (e.g., Google, Microsoft) if you sign in through a third-party account;
  • Integration partners and resellers who refer customers to our Services;
  • Publicly available professional sources (e.g., professional directories, company websites); and/or
  • Data enrichment providers that supplement our records with business contact information.
3.4  CCPA/CPRA: Categories of Personal Information

The table below discloses, for purposes of the CCPA/CPRA, the categories of personal information we have collected in the preceding 12 months, the business or commercial purposes for which each category is collected, and the categories of third parties to whom each category is disclosed.

CCPA/CPRA Category Examples Collected Business Purpose(s) Disclosed To
Identifiers Name, email address, username, IP address, device ID, cookie ID Account management; Services delivery; security; analytics; marketing communications Services providers; analytics providers; advertising partners
Personal Records (Cal. Civ. Code §1798.80) Name, address, telephone number; billing information (processed via payment processor) Services delivery; billing; account management Payment processors; service providers
Commercial Information Subscription plan, purchase history, product usage, feature adoption Services delivery; analytics; customer success outreach Services providers; CRM tools
Internet / Electronic Network Activity Browsing history on Site; feature usage logs; clickstream data Security; debugging; product analytics; Services improvement Analytics providers; service providers
Geolocation Data (Non-Precise) Country, state, approximate city inferred from IP address Analytics; localization; tax compliance Analytics providers; service providers
Professional / Employment Information Job title, company name (if provided by user) Account management; personalization; communications Services providers; CRM tools
Inferences / Profile Data Usage patterns, feature preferences, account tier, engagement data Product improvement; customer success; relevant communications Services providers
Sensitive Personal Information Account login credentials. Account authentication, security, fraud prevention, and service delivery. Service providers only; no sale or sharing.

We do not knowingly collect biometric identifiers, genetic data, health or medical information, racial or ethnic origin, religious beliefs, or sexual orientation data, except as required by law or with your explicit consent.

4.  How We Use Your Personal Information

We use personal information we collect for the following purposes:

4.1  Providing and Improving the Services
  • Creating, verifying, and managing your account;
  • Processing transactions and managing billing and subscriptions;
  • Delivering, operating, and maintaining the Services and their features;
  • Providing technical support and responding to your requests;
  • Developing new features and improving existing functionality; and
  • Personalizing your experience.
4.2  Communications
  • Sending transactional and Services-related notices (e.g., account activity alerts, billing, security notifications, policy updates);
  • Responding to your inquiries and support tickets;
  • Sending marketing, promotional, and educational communications where you have provided consent, where we have an existing customer relationship and the communication relates to similar products or services (soft opt-in), or where otherwise permitted by applicable law. All marketing communications include an unsubscribe mechanism. You may opt out at any time; and
  • Sending product updates, newsletters, and invitations to events or webinars.
4.3  Security, Fraud Prevention, and Safety
  • Detecting, investigating, and preventing unauthorized access, security incidents, and fraudulent activity;
  • Protecting the security and integrity of our systems, infrastructure, and user data; and
  • Verifying identity and authenticating users.
4.4  Legal Compliance and Enforcement
  • Complying with applicable laws, regulations, subpoenas, court orders, and legal processes;
  • Enforcing our Terms of Service, acceptable use policies, and other agreements;
  • Establishing, exercising, or defending legal claims; and 
  • Maintaining required financial and operational records.
4.5  Analytics and Business Operations
  • Analyzing usage trends, Services performance, and user behavior to improve our products;
  • Conducting research, surveys, and A/B testing; and 
  • Supporting internal finance, audit, planning, and compliance functions.
4.6  Other Purposes

We may use your personal information for other purposes disclosed to you at the time of collection or with your consent.

5.  Legal Bases for Processing (GDPR and UK GDPR)

If you are located in the EEA or the UK, we process your personal data on the following legal bases under the GDPR and UK GDPR:

Legal Basis Processing Activities Additional Notes
Performance of a Contract (Art. 6(1)(b)) Account creation and management; Services delivery; billing and subscription management; technical support Processing necessary to fulfill our contractual obligations to you as a Services user
Legitimate Interests (Art. 6(1)(f)) Fraud prevention and security; product analytics and improvement; direct marketing to existing customers; enforcing our terms; Services update communications We have conducted a Legitimate Interests Assessment (LIA) for each activity, which is available upon request. Our interests include operating secure, reliable Services; communicating about relevant products; and protecting against fraud. You have the right to object (see Section 12.2).
Legal Obligation (Art. 6(1)(c)) Tax and accounting compliance; responding to lawful authority requests; maintaining legally required records Required by EU/UK law or the laws of our jurisdiction


Special Category Data (Art. 9 GDPR): We do not intentionally collect special categories of personal data (data revealing racial/ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data for unique identification, health data, or data about sex life or sexual orientation) unless required by law or with your explicit consent. If we ever process such data, we will identify an appropriate Article 9 condition and notify you.

6.  How We Share Your Personal Information

We do not sell your personal information for monetary or other valuable consideration. We may share personal information as described below.

6.1  Services Providers and Data Processors

We engage third-party companies to perform services on our behalf, including:

  • Cloud infrastructure and hosting providers;
  • Payment processors (subject to PCI-DSS compliance; they handle billing data independently);
  • Customer relationship management (CRM) and marketing automation platforms;
  • Customer support and helpdesk tools;
  • Analytics, error monitoring, and performance measurement tools;
  • Email delivery and communications services; and
  • Security, identity verification, and fraud prevention services.

Service providers are authorized to use personal information only as necessary to provide services to us and are bound by contractual data protection obligations. Under GDPR/UK GDPR, these parties act as data processors and we execute Data Processing Agreements (DPAs) with each.

6.2  Business Partners 

We may share information with marketing consultants, technology integration partners, resellers and/or referral partners to facilitate the delivery of the Services or complementary offerings, subject to contractual obligations requiring those partners to protect personal information in a manner consistent with this Policy. Such sharing will be disclosed at the time of collection or in a supplemental notice.

6.3  Analytics and Advertising

We use third-party analytics services and, where applicable, advertising networks. These providers may receive device identifiers, usage data, and demographic inferences. Specific tools are identified in Section 7 (Cookies). You may opt out as described in Sections 8 and 13.

6.4  Corporate Transactions

If we undergo a merger, acquisition, asset sale, reorganization, dissolution, or similar transaction, personal information may be transferred to a successor entity as part of that transaction, subject to appropriate confidentiality protections. The successor entity will be bound by this Policy with respect to previously collected personal information until it provides its own notice of any changes. We will provide notice to affected individuals prior to or promptly following such a transaction: (a) for EEA/UK residents, the new controller will notify you of its identity, contact details, and any new purposes within one month of the transfer in accordance with GDPR Articles 13/14; (b) for Quebec residents, we will conduct a Privacy Impact Assessment (PIA/EFVP) prior to the transfer as required by Quebec Law 25 and notify the Commission d'acces a l'information (CAI) where applicable; (c) for California residents, we will provide notice and honor prior opt-out preferences under the CCPA/CPRA; and (d) for Canadian residents under PIPEDA, the successor organization will be bound by existing consent obligations and individuals will be notified of the change. Where required by applicable law, we will seek consent or provide an opt-out opportunity before any material change in the use of personal information resulting from such a transaction.

6.5  Legal Requirements and Protection of Rights

We may disclose personal information if we reasonably believe that disclosure is necessary to: (a) comply with applicable law, regulation, legal process, or enforceable governmental request; (b) enforce our Terms of Service or other agreements; (c) protect the rights, property, or safety of us, our users, or the public where there is a credible threat; or (d) detect, prevent, or address fraud, security incidents, or technical issues.

6.6  CCPA/CPRA — Sale and Sharing Disclosure

Under the CCPA/CPRA, certain data disclosures to advertising and analytics partners may qualify as a "sale" or "sharing" for cross-context behavioral advertising even without a direct monetary exchange.

We may "share" personal information (such as cookie identifiers and usage data) with advertising partners for cross-context behavioral advertising. California residents may opt out via the "Do Not Sell or Share My Personal Information" link on our homepage or by submitting a request as described in Section 12.5. We honor Global Privacy Control (GPC) signals. We do not sell or share the personal information of consumers known to be under 16 years of age without opt-in consent.

7.  Cookies and Tracking Technologies (Cookie Policy)

7.1  What Are Cookies?

Cookies are small data files stored on your device when you visit a website. We also use related tracking technologies including web beacons (clear GIFs or pixel tags), HTML5 local storage, and software development kits (SDKs). We use the term "cookies" throughout this Section to refer to all such technologies collectively.

7.2  Types of Cookies We Use
Category Purpose Examples / Tools Consent Required? Duration
Strictly Necessary Essential for the Site and Services to function. Cannot be disabled without breaking core functionality. Google reCAPTCHA, session management, authentication tokens, CSRF protection No - exempt from consent requirements; required for operation Session to persistent
Functional / Preference Remember preferences and settings to enhance the user experience. Figma application settings, YouTube interface preferences Yes (EU/UK/Canada); opt-out available for other jurisdictions Session to persistent
Analytics / Performance Understand how users interact with the Site and Services, measure performance, and improve functionality. Google Analytics, HubSpot, Zendesk, Calendly, PostHog, Sprig, Statsig, Optibase Yes (EU/UK/Canada); opt-out available for other jurisdictions Session to persistent
Marketing / Advertising Deliver relevant advertising, measure campaign performance, and support attribution and remarketing. Google Ads, Meta Pixel, LinkedIn Insight Tag, Microsoft Bing Ads, YouTube, LeadDyno Affiliate Tracking Yes (EU/UK/Canada); Opt-out / GPC honored where required by law Session to persistent
7.3  First-Party vs. Third-Party Cookies

First-party cookies are set directly by us. Third-party cookies are set by third-party services we integrate into our Site (e.g., analytics and advertising providers). Third parties may use cookies to track your activity across different websites and over time. While we select and configure the third-party services deployed on our Site, the data collected by those third parties is also subject to their own privacy policies. We encourage you to consult each provider's privacy policy for more information about their data practices, which can be reviewed here:

Cookie / Service Provider Purpose Category Duration
1 calendly.com Maintain and identify the user session to enable secure Calendly scheduling flows and related authentication on embedded pages. Marketing session
__cf_bm Cloudflare Bot management and security protection cookie Strictly Necessary 30 minutes
__gtm_campaign_url Google Tag Manager Stores campaign and referrer URL for signup attribution Advertising Persistent
__hssc HubSpot Keeps track of sessions to determine if HubSpot should increment the session number. Analytics 30 minutes
__hssrc HubSpot Determines if the visitor has restarted their browser. Analytics session
__hstc HubSpot Used for website analytics to track visitors and sessions Analytics 2 years
__Secure-ROLLOUT_TOKEN Google Registers a unique ID to keep statistics of what videos from YouTube the user has seen. Marketing 180 days
__Secure-YNID Google It's a YouTube cookie used to enhance user experience by storing video player preferences and aiding in secure log-ins and spam detectio Essential 180 days
__stripe_mid Stripe Fraud prevention and device identification during billing Strictly Necessary 1 year
__stripe_sid Stripe Session identifier used for payment fraud prevention Strictly Necessary 30 minutes
_ab calendly.com Used in connection with access to admin. Essential session
_cache calendly.com Stores cached scheduling and preference data needed to load Calendly widgets and pages quickly and keep users signed in. Marketing persistent
_cfuvid Cloudflare Security and rate-limiting identifier Strictly Necessary Session
_clck Microsoft Clarity Persists Clarity user ID and session replay preferences Analytics 1 year
_clsk Microsoft Clarity Connects page views into a single Clarity session recording Analytics 1 day
_fbp Meta Used by Facebook to deliver a series of advertisement products such as real time bidding from third party advertisers Marketing persistent
_ga Google Analytics Calculates visitor data and tracks site usage for the analytics report. Analytics 1 year 1 month 4 days
_ga_K4P5RLZ8KR Google Analytics Stores and counts page views for a specific Google Analytics 4 property. Analytics 1 year 1 month 4 days
_ga_Z8EST880Z8 Google Analytics Stores and counts page views for a specific Google Analytics 4 property. Analytics 1 year 1 month 4 days
_gcl_au Google Analytics Used by Google Ads to take information from ad clicks and store it in a first-party cookie so that conversions can be attributed outside the landing page Marketing 3 months
_gcl_ls Google Analytics Used by Google AdSense to understand user interaction with the website by generating analytical data Marketing 90 days
_gid Google Analytics Distinguishes users for analytics reporting Analytics 24 hours
_GRECAPTCHA Google reCAPTCHA Risk analysis and spam prevention for forms Strictly Necessary 6 months
_leaddyno_session LeadDyno Maintains authenticated user session, CSRF protection, flash messages, and login state Strictly Necessary Session / 24 hours
_mf calendly.com Maintain a temporary session identifier to recognize the user and support secure scheduling during the visit. Marketing session
_uetsid Microsoft Advertising (Bing UET) Session identifier for advertising attribution Advertising 1 day
_uetvid Microsoft Advertising (Bing UET) Visitor identifier used for advertising attribution and retargeting Advertising 13 months
affiliates_only LeadDyno Stores affiliate-only reporting view preference Functional Session
affiliates_tab_daterange LeadDyno Remembers selected date range on affiliate dashboard Functional Session
ajs_anonymous_id calendly.com Counts the number of unique visits to the site by tracking anonymous visitors. Analytics 1 year
ajs_anonymous_id Segment Anonymous visitor identifier for analytics tracking Analytics 1 year
ajs_user_id calendly.com Tracks visitor usage and events for Calendly integrations. Analytics 1 year
ajs_user_id Segment Stores identified user ID after login Analytics 1 year
hubspotutk HubSpot Keeps track of a visitor identity. Analytics 2 years
id Google This cookie is used for targeting, analyzing and optimisation of ad campaigns in DoubleClick/Google Marketing Suite Marketing 2 months
initialPathName Figma Store the initial URL path a user visits so the app can restore or adapt navigation flows during the current session. Personalization session
lastExternalReferrer Meta Detects how the user reached the website by registering their last URL-address Marketing persistent
lastExternalReferrerTime Meta Detects how the user reached the website by registering their last URL-address Marketing persistent
LD_APP_SID LeadDyno App session identifier used to track signed-in merchant sessions Functional 30 minutes
LD_H LeadDyno Integrity hash linking visitor activity to lead records Functional Persistent
LD_L LeadDyno Stores identified lead information for affiliate attribution (may contain email address) Advertising Persistent
LD_R LeadDyno Stores referring URL for affiliate attribution tracking Advertising Session
LD_S Google Analytics Stores internal state needed to periodically send visit and lead data for affiliate attribution and marketing analytics. Marketing 5 minutes
LD_S LeadDyno Stores visit session timestamp for affiliate tracking Analytics Session
LD_T Google Analytics Store a unique visitor ID so affiliate clicks, leads and purchases can be linked and commissions attributed. Marketing 100 years
LD_T LeadDyno Visitor identifier used for affiliate and referral attribution Advertising Persistent
LD_U Google Analytics Track and attribute affiliate marketing visits, including initial landing page, to measure campaign performance and payouts. Marketing 13 months
LD_U LeadDyno Stores last visited URL for tracked visitor session Analytics Session
li_adsId LinkedIn Stores a unique visitor identifier used by LinkedIn Ads for conversion tracking and audience matching across sites using the LinkedIn Insight Tag Marketing 30 days
optibaseCachedInitializeResponse-testsfalse-conversionsfalse optibase.io Stores initialization parameters for A/B testing and conversion tracking. Analytics 30 days
optibaseCachedInitializeResponse-teststrue-conversionstrue optibase.io Stores initialization parameters indicating active tests and active conversions. Analytics 30 days
ph_phc_5bpupckWJHmhrnZoZJ8m6EZyAjqL7SMZVClK66wP33M_posthog PostHog Used by PostHog Analytics to get insights into user behavior and track events. Analytics Configurable by customer, default 7 years for events
ph_phc_5bpupckWJHmhrnZoZJ8m6EZyAjqL7SMZVClK66wP33M_primary_window_exists PostHog Used by PostHog Analytics to get insights into user behavior and track events. Analytics Configurable by customer, default 7 years for events
ph_phc_5bpupckWJHmhrnZoZJ8m6EZyAjqL7SMZVClK66wP33M_window_id PostHog Maps events to a specific browser window or tab. Analytics session
rc::a Google Used by Google reCAPTCHA to store internal session analytics and risk scoring data for bot detection Essential Persistent in browser local storage until manually cleared
rc::c Google Used by Google reCAPTCHA to store challenge state and token data Essential Session in local browser storage
reportings_affiliate_daterange LeadDyno Stores reporting date range filter preference Functional Session
reportings_affiliate_status_filter LeadDyno Stores affiliate status filter preference Functional Session
sprig.anon.env.vid.map Sprig Maps anonymous visitor IDs for in-product surveys and product research. Analytics Persistent in browser local storage until manually cleared
sprig.disableReplayRecording Sprig Stores user preferences regarding session replay recording. Analytics Persistent in browser local storage until manually cleared
STATSIG_LOCAL_STORAGE_STABLE_ID Statsig Stores a stable device identifier for Statsig feature flag and experiment assignment Analytics Persistent in browser local storage until manually cleared
statsig.session_id.184042872 Statsig Statsig SDK cache data for feature gates, experiments, and evaluation results Analytics Persistent in browser local storage until manually cleared
statsig.stable_id.184042872 Statsig Statsig SDK cache data for feature gates, experiments, and evaluation results Analytics Persistent in browser local storage until manually cleared
statsig.stable_id.501823423 Statsig Statsig SDK cache data for feature gates, experiments, and evaluation results Analytics Persistent in browser local storage until manually cleared
userleap.ids Sprig Maps anonymous visitor IDs to Sprig environments for consistent user targeting across sessions for in-product surveys Analytics Persistent in browser local storage until manually cleared
VISITOR_INFO1_LIVE YouTube Used as a unique identifier to track viewing of videos and estimate bandwidth usage Marketing 5 months
VISITOR_PRIVACY_METADATA YouTube Stores visitor privacy settings and consent information for personalized advertising Marketing 5 months
YSC YouTube Used to track user interactions and measure advertising effectiveness for embedded videos Marketing session
yt-icons-last-purged youtube Store a timestamp of when YouTube icon assets were last cleared so the embedded player can load interface graphics efficiently and consistently. Personalization persistent
ytidb::LAST_RESULT_ENTRY_KEY YouTube Stores the last search result entry that was clicked by the user to improve the user experience by providing more relevant search results in the future Marketing Persistent in browser local storage until manually cleared
ZD-buid Zendesk Widget Unique browser identifier for the Zendesk chat widget. Analytics 1 year
ZD-suid Zendesk Widget Unique session identifier for the Zendesk chat widget. Analytics 20 mins

7.4  Managing Your Cookie Preferences

You have several options to control or opt out of cookies:

  • Cookie Consent Banner / Consent Management Platform (CMP): When you first visit our Site, a cookie consent banner will appear. You may accept all cookies, reject all non-essential cookies, or customize your preferences by category. Rejecting non-essential cookies is as easy as accepting them - we do not use pre-checked boxes or dark patterns. Your consent preferences are recorded and can be verified for compliance purposes. You can update your preferences at any time by clicking "Cookie Settings" at the bottom left of our website. If you do not interact with the banner, no non-essential cookies will be placed.
  • Browser Controls: Most browsers allow you to block or delete cookies through browser settings. Restricting cookies may affect the functionality of our Site or Services. Visit your browser's help documentation for instructions.
  • Industry Opt-Out Tools: Opt out of interest-based advertising at: optout.networkadvertising.org (NAI); optout.aboutads.info (DAA); youronlinechoices.eu (EDAA, for EU/UK users).
  • Google Analytics Opt-Out: Install the Google Analytics browser add-on at tools.google.com/dlpage/gaoptout.
7.5  Global Privacy Control (GPC)

We recognize and honor the Global Privacy Control (GPC) opt-out preference signal. If your browser or device transmits a GPC signal, we will treat it as a request to opt out of the "sale" and "sharing" of your personal information under applicable law, including for California residents under CCPA/CPRA and for residents of other states that require GPC recognition. Honoring GPC does not disable strictly necessary cookies.

8.  Data Retention

We retain personal information for as long as necessary to fulfill the purposes described in this Policy, subject to any longer retention period required by applicable law. Our retention criteria include:

  • Account data: retained for the duration of your active account, plus 24 months thereafter to allow account reactivation and resolve outstanding billing or legal matters;
  • Transaction and billing records: retained for 7 years as required by tax, accounting, and financial regulations;
  • Support and communications data: retained for 36 months after closure of the inquiry or account;
  • Cookie and analytics data: retained per the lifespan set for each cookie type (see Section 7.2), or as configured in our analytics platforms (typically 13–26 months);
  • Marketing data: retained until you opt out or unsubscribe, plus a brief period to process your request; and
  • Legal hold data: retained as long as necessary to comply with legal obligations, resolve disputes, and enforce our agreements.

When personal information is no longer needed for any of the above purposes, we securely delete or irreversibly anonymize it. Where immediate deletion is technically infeasible (e.g., in backup archives), we isolate the data from further use until deletion is possible.

9.  International Data Transfers

LeadDyno is based in Edina, Minnesota. Our servers, systems, and service providers may be located in the United States and Canada, among other countries. If you access the Services from outside the United States, your personal information may be transferred to, stored in, and processed in the United States and other countries that may not provide the same level of data protection as your country of residence.

9.1  Transfers from the EEA

For transfers of personal data from the EEA to countries not recognized by the European Commission as providing adequate protection, we rely on European Commission Standard Contractual Clauses (SCCs) pursuant to Commission Implementing Decision (EU) 2021/914 (using Controller-to-Processor [Module 2] or Controller-to-Controller [Module 1] clauses as applicable). Copies of our SCCs are available upon request at privacy@sureswiftcapital.com

9.2  Transfers from the United Kingdom

For transfers of personal data from the UK to countries not recognized as adequate by the UK Secretary of State, we rely on the UK International Data Transfer Agreement (IDTA) issued by the Information Commissioner’s Office, or the UK Addendum to the EU Standard Contractual Clauses (as applicable). Copies are available upon request at privacy@sureswiftcapital.com.

9.3  Transfers from Canada (Including Quebec)

For cross-border transfers of personal information from Canada, we implement contractual safeguards to ensure recipients provide a comparable level of protection. For personal information from Quebec, we conduct a Privacy Impact Assessment (PIA / Evaluation des facteurs relatifs à la vie privée — EFVP) prior to any cross-border communication, as required by Quebec Law 25.

10.  Data Security

We implement appropriate technical and organizational security measures designed to protect your personal information against unauthorized access, disclosure, alteration, destruction, or loss, including:

  • Encryption of data in transit using TLS 1.2 or higher;
  • Encryption of sensitive data at rest using industry-standard algorithms;
  • Role-based access controls and the principle of least privilege;
  • Multi-factor authentication (MFA) required for administrative system access;
  • Regular security testing, vulnerability assessments, and penetration testing;
  • Security due diligence of service providers, with Data Processing Agreements (DPAs) for all vendors handling personal data; and
  • Employee and contractor training on data protection, security awareness, and confidentiality obligations.

No security measure is completely impenetrable. If you believe your account or personal information has been compromised, please contact us immediately at privacy@sureswiftcapital.com. In the event of a personal data breach, we will notify affected individuals and relevant regulatory authorities as required by applicable law, including within 72 hours of becoming aware of a reportable breach under GDPR/UK GDPR, and within the timeframes required by applicable U.S. state breach notification laws and Canadian privacy legislation (including Quebec Law 25, which requires notification to the CAI and affected individuals when there is a risk of serious injury).

11.  Children's Privacy

Our Site and Services are not directed to children under the age of 13 (or under 16 where required by applicable law, such as the GDPR) and we do not knowingly collect personal information from children without verified parental or guardian consent. If you are a parent or guardian and believe your child has provided us with personal information without your consent, please contact us immediately at privacy@sureswiftcapital.com and we will promptly delete that information.

We comply with the Children's Online Privacy Protection Act (COPPA) in the United States, the UK Children's Code (Age Appropriate Design Code), applicable GDPR protections for children's personal data, and analogous Canadian requirements. Where we become aware that we have collected personal information from a child without appropriate consent, we will delete it as soon as practicable.

12.  Your Privacy Rights and How to Exercise Them

12.1  California Residents — CCPA/CPRA

If you are a California resident, you have the following rights under the California Consumer Privacy Act (as amended by the California Privacy Rights Act) (“CCPA/CPRA”):

Right What It Means
Right to Know (Categories) Request disclosure of: the categories of personal information we have collected about you; categories of sources; our business/commercial purposes for collecting it; categories of third parties we disclosed it to; and the specific pieces of personal information we hold about you.
Right to Delete Request deletion of personal information we have collected, subject to statutory exceptions (e.g., completing an ongoing transaction, security purposes, legal obligations, fraud detection).
Right to Correct Request that we correct inaccurate personal information we maintain about you.
Right to Opt-Out of Sale / Sharing Opt out of the "sale" of personal information or its "sharing" for cross-context behavioral advertising.
Right to Limit Use of Sensitive PI Request that we limit our use and disclosure of sensitive personal information to purposes expressly permitted by the CPRA (e.g., providing the Services you requested).
Right to Non-Discrimination We will not deny goods or services, charge different prices, or provide a different quality of service because you exercised your CCPA/CPRA rights.
Shine the Light (Cal. Civ. Code §1798.83) Once per calendar year, California residents may request a list of categories of personal information we have shared with third parties for their direct marketing purposes during the prior calendar year. Email privacy@sureswiftcapital.com with subject line "Shine the Light Request."

12.2  EEA and UK Residents — GDPR / UK GDPR

If you are located in the EEA or UK, you have the following rights under the GDPR and/or UK GDPR:

Right What It Means
Right of Access (Art. 15) Obtain confirmation of whether we process your personal data and, if so, receive a copy of that data together with prescribed supplementary information (including purposes, categories, recipients, retention period, and applicable rights).
Right to Rectification (Art. 16) Request correction of inaccurate personal data and completion of incomplete personal data.
Right to Erasure / Right to be Forgotten (Art. 17) Request deletion of your personal data where: it is no longer necessary for its original purpose; you withdraw consent (and there is no other legal basis); you successfully object (see below); or the data has been unlawfully processed.
Right to Restriction (Art. 18) Request suspension of processing in certain circumstances (e.g., while we verify data accuracy or assess an objection).
Right to Data Portability (Art. 20) Receive personal data you provided to us in a structured, commonly used, machine-readable format, and transmit it to another controller (applies where processing is consent- or contract-based and is automated).
Right to Object (Art. 21) Object to processing based on legitimate interests or direct marketing at any time. For direct marketing, we will always honor your objection immediately. For other legitimate interest processing, we will comply unless we can demonstrate compelling overriding legitimate grounds.
Rights re Automated Decision-Making (Art. 22) Not to be subject to decisions based solely on automated processing (including profiling) that produce legal or similarly significant effects on you. We do not use solely automated decision-making that produces legal or similarly significant effects on individuals.
Right to Withdraw Consent Withdraw consent at any time (where processing is consent-based) without affecting the lawfulness of prior processing.
Right to Lodge a Complaint Lodge a complaint with the supervisory authority in your EU Member State of habitual residence, place of work, or where the alleged infringement occurred. UK residents may contact the ICO at ico.org.uk or 0303 123 1113.
12.3  Canadian Residents — PIPEDA and Quebec Law 25

If you reside in Canada, you have the following rights:

  • Right of Access: Request access to the personal information we hold about you and information about how it has been and is being used and disclosed;
  • Right to Correction: Request correction of personal information that is inaccurate or incomplete;
  • Right to Withdraw Consent: Withdraw consent to our collection, use, or disclosure of personal information, subject to legal or contractual restrictions and reasonable notice. Withdrawal may limit our ability to provide certain Services;
  • Right to File a Complaint: File a complaint with the Office of the Privacy Commissioner of Canada (OPC) at priv.gc.ca. Quebec residents may also contact the Commission d'accès à l'information (CAI) at www.cai.gouv.qc.ca

Quebec Law 25 — Specific Disclosures:

  • Our designated Privacy Officer is: Julien Francois, Chief Financial Officer, privacy@sureswiftcapital.com;
  • We conduct Privacy Impact Assessments (PIAs / EFVPs) prior to any cross-border communication of personal information from Quebec;
  • We do not use solely automated processing that produces legal or significant effects on individuals.
12.4  Other U.S. State Residents

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Texas (TDPSA), Montana (MCDPA), Oregon (OCPA), Utah (UCPA), and other states with comprehensive privacy statutes have the rights set out below. Please note that not all rights are available in every state – for example, Utah does not provide a right to correction. 

Right What It Means
Right of Access / Confirmation Confirm whether we process your personal data and obtain a copy of that data.
Right to Correction Request correction of inaccuracies in your personal data.
Right to Deletion Request deletion of personal data you have provided to us or that we have obtained about you.
Right to Portability Obtain personal data in a portable, readily usable format.
Right to Opt-Out Opt out of: (a) the sale of personal data; (b) targeted advertising; and (c) profiling in furtherance of solely automated decisions producing legal or similarly significant effects.
Right to Appeal If we decline your request, you may appeal by emailing privacy@sureswiftcapital.com with subject line "Privacy Rights Appeal - [Name Your State]." We will respond within 45 to 60 days as required by your state. If your appeal is denied, you may contact your State Attorney General.

Nevada Residents (SB 220): Nevada law gives certain residents the right to opt out of the sale of "covered information." We do not "sell" covered information as defined under Nevada law. Contact privacy@sureswiftcapital.com with questions.

12.5  How to Submit a Privacy Rights Request

To exercise any rights described in this Section 12, please use one of the following methods. All request mechanisms are designed to be accessible in accordance with Web Content Accessibility Guidelines (WCAG) 2.1 Level AA. If you need assistance submitting a request due to a disability or require this Policy in an alternative format (e.g., large print, audio, or screen-reader-compatible), please contact us at privacy@sureswiftcapital.com with the subject line: "Privacy Rights Request" or 507-323-9225 and we will provide reasonable accommodations.

12.6  Verification of Identity

To protect your privacy and security, we must verify your identity before fulfilling your request. For account holders, we typically verify through account credentials. For non-account holders or where additional verification is needed, we may request information to reasonably identify you. We use verification information solely to process your request.

12.7  Authorized Agents

You may authorize an agent to submit requests on your behalf. We require written authorization (or a valid power of attorney) and may verify directly with you. California residents may designate an authorized agent by providing the agent with signed, written permission to act on their behalf.

12.8  Response Timeframes
  • California (CCPA/CPRA): 45 calendar days from receipt; extendable by 45 days with notice;
  • EEA/UK (GDPR/UK GDPR): 30 calendar days from receipt; extendable by 2 months with notice in complex cases;
  • Canada (PIPEDA): 30 calendar days from receipt; extendable where permitted;
  • Virginia, Colorado, Connecticut, Oregon: 45 days; extendable by 45 days with notice; Montana: 45 days; extendable by 15 days with notice;
  • Texas, Indiana: 45 days; extendable; and
  • Utah: 45 days; extendable by 45 days with notice.
12.9  Right to Non-Discrimination

We will not discriminate against you for exercising your privacy rights. We will not deny goods or services, charge different prices, or provide a different quality of service because you exercised any right under this Policy, except as permitted by law.

13.  Third-Party Links and Services

Our Site and Services may contain links to third-party websites, platforms, or integrations not operated by us. This Policy does not apply to those third-party services and we are not responsible for their privacy practices. We encourage you to review the privacy policies of any third-party services you access.

Where our Services integrate with third-party platforms (e.g., accounting, CRM, or productivity software), we recommend reviewing those providers' privacy policies to understand how they handle your personal information.

14.  Changes to This Privacy Policy

We may update this Policy periodically to reflect changes in our data practices, technology, or applicable law. When we make material changes, we will:

  • Update the "Effective Date" and "Last Updated" dates at the top of this Policy;
  • Post a prominent notice on our Site and/or within the Services;
  • Where required by applicable law, notify you by email or a notification within the Services prior to the change taking effect, and/or obtain your consent.

We encourage you to review this Policy periodically. Your continued use of the Site or Services after changes become effective constitutes acceptance of the updated Policy to the extent permitted by applicable law. Where applicable law (such as the GDPR or UK GDPR) requires affirmative consent for material changes, we will obtain such consent before the changes take effect. If you do not agree with the updated Policy, you should discontinue use of the Services.

15.  Who We Are and How to Contact Us

For questions, concerns, requests, or complaints about this Policy or our privacy practices, please contact us:

Legal Entity Name: SureSwift Worldwide Inc. dba LeadDyno
Website: https://www.leaddyno.com
Mailing: 5201 Eden Avenue, Suite 300
Edina, MN 55436
Attn: Privacy Officer
Privacy Contact Email: privacy@sureswiftcapital.com
Quebec Privacy Officer: Privacy Officer is: Julien Francois, Chief Financial Officer, privacy@sureswiftcapital.com


15.1  Supervisory Authorities

You also have the right to contact your relevant data protection supervisory authority:

  • EU Residents: The supervisory authority in your EU Member State of habitual residence, place of work, or where the alleged infringement occurred;
  • UK Residents: Information Commissioner's Office (ICO) – www.ico.org.uk | 0303 123 1113 | Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF;
  • Canadian Residents (Federal): Office of the Privacy Commissioner of Canada (OPC) – www.priv.gc.ca;
  • Quebec Residents: Commission d'acces a l'information (CAI) – www.cai.gouv.qc.ca;
  • California Residents: California Privacy Protection Agency (CPPA) – www.cppa.ca.gov; and  
  • Other U.S. State Residents: Your applicable State Attorney General's office.

Appendix A:
Key Definitions

Term Definition
CCPA/CPRA California Consumer Privacy Act (Cal. Civ. Code §1798.100 et seq.), as amended by the California Privacy Rights Act (Prop. 24), fully effective January 1, 2023
Controller The entity that determines the purposes and means of processing personal data
COPPA Children's Online Privacy Protection Act (15 U.S.C. §§6501-6506)
EEA European Economic Area: the 27 EU member states plus Iceland, Liechtenstein, and Norway
GDPR EU General Data Protection Regulation (EU) 2016/679
GPC Global Privacy Control: a browser/device opt-out preference signal for data sale and sharing
IDTA International Data Transfer Agreement: UK mechanism for compliant international personal data transfers, issued by the ICO
LIA Legitimate Interests Assessment: a documented balancing test performed under GDPR Art. 6(1)(f)
Personal Information / Personal Data Information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked to an identified or identifiable natural person
PIA / EFVP Privacy Impact Assessment / Évaluation des facteurs relatifs à la vie privée: assessment required under Quebec Law 25 before cross-border transfers
PIPEDA Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 (Canada)
Processor / Service Provider An entity that processes personal data on behalf of and under the instructions of a controller
Quebec Law 25 Act to Modernize Legislative Provisions Respecting the Protection of Personal Information (S.Q. 2021, c. 25)
SCCs Standard Contractual Clauses: European Commission-approved contractual safeguards for international data transfers (Commission Implementing Decision (EU) 2021/914)
Sensitive Personal Information CPRA: SSN, driver's license/passport numbers, financial account credentials, precise geolocation, racial/ethnic origin, religious beliefs, union membership, health data, biometric identifiers, sexual orientation, private communications. GDPR Art. 9: racial/ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, sex life or sexual orientation.
UK GDPR The GDPR as retained in UK domestic law by the European Union (Withdrawal) Act 2018 and the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019

Appendix B:
State-Specific Supplemental Disclosures

B.1  Colorado (Colorado Privacy Act – CPA, C.R.S. §6-1-1301 et seq.)

Colorado residents have rights of access, correction, deletion, portability, and opt-out of sale, targeted advertising, and profiling. To appeal a denied request, email privacy@sureswiftcapital.com with "Colorado Privacy Appeal" in the subject line within 45 days of our response. We will respond to the appeal within 45 days. If your appeal is denied, you may contact the Colorado Attorney General at coag.gov/file-complaint.

B.2  Connecticut (Connecticut Data Privacy Act – CTDPA, Conn. Gen. Stat. §42-515 et seq.)

Connecticut residents have rights of access, correction, deletion, portability, and opt-out. To appeal a denied request, email privacy@sureswiftcapital.com with "Connecticut Privacy Appeal" in the subject line. We will respond within 60 days. If denied, contact the Connecticut Attorney General at ct.gov/ag.

B.3  Virginia (Consumer Data Protection Act – VCDPA, Va. Code §§59.1-575 et seq.)

Virginia residents have rights of access, correction, deletion, portability, and opt-out. To appeal, email privacy@sureswiftcapital.com with "Virginia Privacy Appeal" in the subject line within 45 days of our response; we will respond within 60 days. If denied, contact the Virginia Attorney General at oag.state.va.us.

B.4  Texas (Texas Data Privacy and Security Act – TDPSA, Tex. Bus. & Com. Code §541 et seq.)

Texas residents have rights of access, correction, deletion, portability, and opt-out. To appeal, email privacy@sureswiftcapital.com with "Texas Privacy Appeal" in the subject line. We will respond within 45 days. If denied, contact the Texas Attorney General at www.texasattorneygeneral.gov.

B.5  Oregon (Oregon Consumer Privacy Act – OCPA, Or. Rev. Stat. §646A.570 et seq.)

Oregon residents have rights of access, correction, deletion, portability, and opt-out. To appeal, email privacy@sureswiftcapital.com with "Oregon Privacy Appeal" in the subject line. If denied, contact the Oregon Attorney General at doj.state.or.us.

B.6  Montana (Montana Consumer Data Privacy Act – MCDPA, Mont. Code Ann. §30-14-3201 et seq.)

Montana residents have rights of access, correction, deletion, portability, and opt-out. To appeal a denied request, email privacy@sureswiftcapital.com with "Montana Privacy Appeal" in the subject line; we will respond within 45 days.

B.7  Utah (Utah Consumer Privacy Act –UCPA, Utah Code §13-61-101 et seq.)

Utah residents have rights of access, deletion, portability, and opt-out of sale of personal data and targeted advertising. Response time: 45 days, extendable by 45 days with notice. Submit requests using the methods in Section 12.5.

B.8  Delaware, Indiana, Iowa, Tennessee, and Other Enacting States

We will comply with all enacted comprehensive U.S. state privacy laws as they come into effect, including but not limited to laws in Delaware, Indiana, Iowa, Tennessee, New Hampshire, New Jersey, Nebraska, Kentucky, Maryland, Minnesota, and Rhode Island. If your state has enacted such a law and it covers our processing activities, you may exercise your applicable rights using the methods described in Section 12.5. Contact us at privacy@sureswiftcapital.com and we will respond in accordance with your applicable rights and the timeframes required by your state's law.

1. Introduction

SureSwift Worldwide Inc. dba LeadDyno ("LeadDyno," referred to as "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy and Cookie Notice ("Policy") describes how we collect, use, disclose, and protect personal information about visitors to our website at https://www.leaddyno.com (the "Site"), users of our services, including through access to and use of our platform and/or any application (collectively, the "Services"), and others who interact with us.

This Policy applies to personal information we process as a controller (or equivalent). It does not apply to information we process on behalf of our business customers in our capacity as a service provider or data processor – that processing is governed by our agreements with those customers.

Please read this Policy carefully. By accessing or using our Site or Services, you acknowledge you have read and understood this Policy. Where required by applicable law, we will obtain your consent before collecting or using your personal information in certain ways. We are committed to making this Policy accessible to all users, including individuals with disabilities, in accordance with Web Content Accessibility Guidelines (WCAG) 2.1 Level AA. If you need this Policy in an alternative format, please contact us at privacy@sureswiftcapital.com.

2.  Quick Reference: Your Privacy Rights by Jurisdiction

Depending on where you reside, you may have specific legal rights regarding your personal information. The table below provides a summary; full details appear in Section 12.

Jurisdiction / Law Key Consumer Rights
California (CCPA / CPRA) Know; Access; Correct; Delete; Opt-Out of Sale/Sharing; Limit Sensitive Personal Information; Non-Discrimination; Shine the Light
European Union (GDPR) Access; Rectification; Erasure (Right to be Forgotten); Restriction; Data Portability; Objection; Rights re Automated Decision-Making; Lodge Complaint with Supervisory Authority
United Kingdom (UK GDPR) Same as EU GDPR; supervised by the Information Commissioner's Office (ICO)
Canada - PIPEDA / Quebec Law 25 Access; Correction; Withdrawal of Consent; Complaint to Office of the Privacy Commissioner (OPC) or Commission d'acces a l'information (CAI, Quebec)
Other U.S. States (VA, CO, CT, TX, MT, OR, UT, etc.) Access / Confirmation; Correction; Deletion; Portability; Opt-Out of Sale / Targeted Advertising / Profiling; Right to Appeal Denial

d

3.  Personal Information We Collect

We collect personal information in the following ways, depending on how you interact with us.

3.1  Information You Provide Directly

We collect personal information you voluntarily provide when you:

  • Create an account or register for the Services (e.g., name, email address, password, job title, company name);
  • Subscribe to or purchase the Services (e.g., billing name, mailing address; payment card data is processed by our payment processor and not stored on our systems);
  • Contact us for support, with inquiries, or to provide feedback (e.g., name, email address, contents of your messages);
  • Participate in surveys, promotions, webinars, or events; and/or
  • Use interactive features that require you to submit content or data.
3.2  Information Collected Automatically

When you visit our Site or use our Services, we and our technology partners automatically collect:

  • Usage Data: pages viewed, features used, links clicked, searches conducted, and in-app actions;
  • Device and Technical Data: IP address, browser type and version, operating system, device identifiers, screen resolution, and time zone;
  • Log Data: server access logs, error logs, referring URLs, date and time of requests;
  • Location Data: approximate geographic location (country, state/region) inferred from your IP address, and precise geolocation only if you provide explicit permission through your device or browser settings, where applicable; and/or
  • Cookie and Tracking Data: information collected through cookies, pixels, web beacons, and similar technologies (see Section 7).
3.3  Information from Third Parties

We may receive personal information about you from third parties, including:

  • Social login or SSO providers (e.g., Google, Microsoft) if you sign in through a third-party account;
  • Integration partners and resellers who refer customers to our Services;
  • Publicly available professional sources (e.g., professional directories, company websites); and/or
  • Data enrichment providers that supplement our records with business contact information.
3.4  CCPA/CPRA: Categories of Personal Information

The table below discloses, for purposes of the CCPA/CPRA, the categories of personal information we have collected in the preceding 12 months, the business or commercial purposes for which each category is collected, and the categories of third parties to whom each category is disclosed.

CCPA/CPRA Category Examples Collected Business Purpose(s) Disclosed To
Identifiers Name, email address, username, IP address, device ID, cookie ID Account management; Services delivery; security; analytics; marketing communications Services providers; analytics providers; advertising partners
Personal Records (Cal. Civ. Code §1798.80) Name, address, telephone number; billing information (processed via payment processor) Services delivery; billing; account management Payment processors; service providers
Commercial Information Subscription plan, purchase history, product usage, feature adoption Services delivery; analytics; customer success outreach Services providers; CRM tools
Internet / Electronic Network Activity Browsing history on Site; feature usage logs; clickstream data Security; debugging; product analytics; Services improvement Analytics providers; service providers
Geolocation Data (Non-Precise) Country, state, approximate city inferred from IP address Analytics; localization; tax compliance Analytics providers; service providers
Professional / Employment Information Job title, company name (if provided by user) Account management; personalization; communications Services providers; CRM tools
Inferences / Profile Data Usage patterns, feature preferences, account tier, engagement data Product improvement; customer success; relevant communications Services providers
Sensitive Personal Information Account login credentials. Account authentication, security, fraud prevention, and service delivery. Service providers only; no sale or sharing.

We do not knowingly collect biometric identifiers, genetic data, health or medical information, racial or ethnic origin, religious beliefs, or sexual orientation data, except as required by law or with your explicit consent.

4.  How We Use Your Personal Information

We use personal information we collect for the following purposes:

4.1  Providing and Improving the Services
  • Creating, verifying, and managing your account;
  • Processing transactions and managing billing and subscriptions;
  • Delivering, operating, and maintaining the Services and their features;
  • Providing technical support and responding to your requests;
  • Developing new features and improving existing functionality; and
  • Personalizing your experience.
4.2  Communications
  • Sending transactional and Services-related notices (e.g., account activity alerts, billing, security notifications, policy updates);
  • Responding to your inquiries and support tickets;
  • Sending marketing, promotional, and educational communications where you have provided consent, where we have an existing customer relationship and the communication relates to similar products or services (soft opt-in), or where otherwise permitted by applicable law. All marketing communications include an unsubscribe mechanism. You may opt out at any time; and
  • Sending product updates, newsletters, and invitations to events or webinars.
4.3  Security, Fraud Prevention, and Safety
  • Detecting, investigating, and preventing unauthorized access, security incidents, and fraudulent activity;
  • Protecting the security and integrity of our systems, infrastructure, and user data; and
  • Verifying identity and authenticating users.
4.4  Legal Compliance and Enforcement
  • Complying with applicable laws, regulations, subpoenas, court orders, and legal processes;
  • Enforcing our Terms of Service, acceptable use policies, and other agreements;
  • Establishing, exercising, or defending legal claims; and 
  • Maintaining required financial and operational records.
4.5  Analytics and Business Operations
  • Analyzing usage trends, Services performance, and user behavior to improve our products;
  • Conducting research, surveys, and A/B testing; and 
  • Supporting internal finance, audit, planning, and compliance functions.
4.6  Other Purposes

We may use your personal information for other purposes disclosed to you at the time of collection or with your consent.

5.  Legal Bases for Processing (GDPR and UK GDPR)

If you are located in the EEA or the UK, we process your personal data on the following legal bases under the GDPR and UK GDPR:

Legal Basis Processing Activities Additional Notes
Performance of a Contract (Art. 6(1)(b)) Account creation and management; Services delivery; billing and subscription management; technical support Processing necessary to fulfill our contractual obligations to you as a Services user
Legitimate Interests (Art. 6(1)(f)) Fraud prevention and security; product analytics and improvement; direct marketing to existing customers; enforcing our terms; Services update communications We have conducted a Legitimate Interests Assessment (LIA) for each activity, which is available upon request. Our interests include operating secure, reliable Services; communicating about relevant products; and protecting against fraud. You have the right to object (see Section 12.2).
Legal Obligation (Art. 6(1)(c)) Tax and accounting compliance; responding to lawful authority requests; maintaining legally required records Required by EU/UK law or the laws of our jurisdiction


Special Category Data (Art. 9 GDPR): We do not intentionally collect special categories of personal data (data revealing racial/ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data for unique identification, health data, or data about sex life or sexual orientation) unless required by law or with your explicit consent. If we ever process such data, we will identify an appropriate Article 9 condition and notify you.

6.  How We Share Your Personal Information

We do not sell your personal information for monetary or other valuable consideration. We may share personal information as described below.

6.1  Services Providers and Data Processors

We engage third-party companies to perform services on our behalf, including:

  • Cloud infrastructure and hosting providers;
  • Payment processors (subject to PCI-DSS compliance; they handle billing data independently);
  • Customer relationship management (CRM) and marketing automation platforms;
  • Customer support and helpdesk tools;
  • Analytics, error monitoring, and performance measurement tools;
  • Email delivery and communications services; and
  • Security, identity verification, and fraud prevention services.

Service providers are authorized to use personal information only as necessary to provide services to us and are bound by contractual data protection obligations. Under GDPR/UK GDPR, these parties act as data processors and we execute Data Processing Agreements (DPAs) with each.

6.2  Business Partners 

We may share information with marketing consultants, technology integration partners, resellers and/or referral partners to facilitate the delivery of the Services or complementary offerings, subject to contractual obligations requiring those partners to protect personal information in a manner consistent with this Policy. Such sharing will be disclosed at the time of collection or in a supplemental notice.

6.3  Analytics and Advertising

We use third-party analytics services and, where applicable, advertising networks. These providers may receive device identifiers, usage data, and demographic inferences. Specific tools are identified in Section 7 (Cookies). You may opt out as described in Sections 8 and 13.

6.4  Corporate Transactions

If we undergo a merger, acquisition, asset sale, reorganization, dissolution, or similar transaction, personal information may be transferred to a successor entity as part of that transaction, subject to appropriate confidentiality protections. The successor entity will be bound by this Policy with respect to previously collected personal information until it provides its own notice of any changes. We will provide notice to affected individuals prior to or promptly following such a transaction: (a) for EEA/UK residents, the new controller will notify you of its identity, contact details, and any new purposes within one month of the transfer in accordance with GDPR Articles 13/14; (b) for Quebec residents, we will conduct a Privacy Impact Assessment (PIA/EFVP) prior to the transfer as required by Quebec Law 25 and notify the Commission d'acces a l'information (CAI) where applicable; (c) for California residents, we will provide notice and honor prior opt-out preferences under the CCPA/CPRA; and (d) for Canadian residents under PIPEDA, the successor organization will be bound by existing consent obligations and individuals will be notified of the change. Where required by applicable law, we will seek consent or provide an opt-out opportunity before any material change in the use of personal information resulting from such a transaction.

6.5  Legal Requirements and Protection of Rights

We may disclose personal information if we reasonably believe that disclosure is necessary to: (a) comply with applicable law, regulation, legal process, or enforceable governmental request; (b) enforce our Terms of Service or other agreements; (c) protect the rights, property, or safety of us, our users, or the public where there is a credible threat; or (d) detect, prevent, or address fraud, security incidents, or technical issues.

6.6  CCPA/CPRA — Sale and Sharing Disclosure

Under the CCPA/CPRA, certain data disclosures to advertising and analytics partners may qualify as a "sale" or "sharing" for cross-context behavioral advertising even without a direct monetary exchange.

We may "share" personal information (such as cookie identifiers and usage data) with advertising partners for cross-context behavioral advertising. California residents may opt out via the "Do Not Sell or Share My Personal Information" link on our homepage or by submitting a request as described in Section 12.5. We honor Global Privacy Control (GPC) signals. We do not sell or share the personal information of consumers known to be under 16 years of age without opt-in consent.

7.  Cookies and Tracking Technologies (Cookie Policy)

7.1  What Are Cookies?

Cookies are small data files stored on your device when you visit a website. We also use related tracking technologies including web beacons (clear GIFs or pixel tags), HTML5 local storage, and software development kits (SDKs). We use the term "cookies" throughout this Section to refer to all such technologies collectively.

7.2  Types of Cookies We Use
Category Purpose Examples / Tools Consent Required? Duration
Strictly Necessary Essential for the Site and Services to function. Cannot be disabled without breaking core functionality. Google reCAPTCHA, session management, authentication tokens, CSRF protection No - exempt from consent requirements; required for operation Session to persistent
Functional / Preference Remember preferences and settings to enhance the user experience. Figma application settings, YouTube interface preferences Yes (EU/UK/Canada); opt-out available for other jurisdictions Session to persistent
Analytics / Performance Understand how users interact with the Site and Services, measure performance, and improve functionality. Google Analytics, HubSpot, Zendesk, Calendly, PostHog, Sprig, Statsig, Optibase Yes (EU/UK/Canada); opt-out available for other jurisdictions Session to persistent
Marketing / Advertising Deliver relevant advertising, measure campaign performance, and support attribution and remarketing. Google Ads, Meta Pixel, LinkedIn Insight Tag, Microsoft Bing Ads, YouTube, LeadDyno Affiliate Tracking Yes (EU/UK/Canada); Opt-out / GPC honored where required by law Session to persistent
7.3  First-Party vs. Third-Party Cookies

First-party cookies are set directly by us. Third-party cookies are set by third-party services we integrate into our Site (e.g., analytics and advertising providers). Third parties may use cookies to track your activity across different websites and over time. While we select and configure the third-party services deployed on our Site, the data collected by those third parties is also subject to their own privacy policies. We encourage you to consult each provider's privacy policy for more information about their data practices, which can be reviewed here:

Cookie / Service Provider Purpose Category Duration
1 calendly.com Maintain and identify the user session to enable secure Calendly scheduling flows and related authentication on embedded pages. Marketing session
__cf_bm Cloudflare Bot management and security protection cookie Strictly Necessary 30 minutes
__gtm_campaign_url Google Tag Manager Stores campaign and referrer URL for signup attribution Advertising Persistent
__hssc HubSpot Keeps track of sessions to determine if HubSpot should increment the session number. Analytics 30 minutes
__hssrc HubSpot Determines if the visitor has restarted their browser. Analytics session
__hstc HubSpot Used for website analytics to track visitors and sessions Analytics 2 years
__Secure-ROLLOUT_TOKEN Google Registers a unique ID to keep statistics of what videos from YouTube the user has seen. Marketing 180 days
__Secure-YNID Google It's a YouTube cookie used to enhance user experience by storing video player preferences and aiding in secure log-ins and spam detectio Essential 180 days
__stripe_mid Stripe Fraud prevention and device identification during billing Strictly Necessary 1 year
__stripe_sid Stripe Session identifier used for payment fraud prevention Strictly Necessary 30 minutes
_ab calendly.com Used in connection with access to admin. Essential session
_cache calendly.com Stores cached scheduling and preference data needed to load Calendly widgets and pages quickly and keep users signed in. Marketing persistent
_cfuvid Cloudflare Security and rate-limiting identifier Strictly Necessary Session
_clck Microsoft Clarity Persists Clarity user ID and session replay preferences Analytics 1 year
_clsk Microsoft Clarity Connects page views into a single Clarity session recording Analytics 1 day
_fbp Meta Used by Facebook to deliver a series of advertisement products such as real time bidding from third party advertisers Marketing persistent
_ga Google Analytics Calculates visitor data and tracks site usage for the analytics report. Analytics 1 year 1 month 4 days
_ga_K4P5RLZ8KR Google Analytics Stores and counts page views for a specific Google Analytics 4 property. Analytics 1 year 1 month 4 days
_ga_Z8EST880Z8 Google Analytics Stores and counts page views for a specific Google Analytics 4 property. Analytics 1 year 1 month 4 days
_gcl_au Google Analytics Used by Google Ads to take information from ad clicks and store it in a first-party cookie so that conversions can be attributed outside the landing page Marketing 3 months
_gcl_ls Google Analytics Used by Google AdSense to understand user interaction with the website by generating analytical data Marketing 90 days
_gid Google Analytics Distinguishes users for analytics reporting Analytics 24 hours
_GRECAPTCHA Google reCAPTCHA Risk analysis and spam prevention for forms Strictly Necessary 6 months
_leaddyno_session LeadDyno Maintains authenticated user session, CSRF protection, flash messages, and login state Strictly Necessary Session / 24 hours
_mf calendly.com Maintain a temporary session identifier to recognize the user and support secure scheduling during the visit. Marketing session
_uetsid Microsoft Advertising (Bing UET) Session identifier for advertising attribution Advertising 1 day
_uetvid Microsoft Advertising (Bing UET) Visitor identifier used for advertising attribution and retargeting Advertising 13 months
affiliates_only LeadDyno Stores affiliate-only reporting view preference Functional Session
affiliates_tab_daterange LeadDyno Remembers selected date range on affiliate dashboard Functional Session
ajs_anonymous_id calendly.com Counts the number of unique visits to the site by tracking anonymous visitors. Analytics 1 year
ajs_anonymous_id Segment Anonymous visitor identifier for analytics tracking Analytics 1 year
ajs_user_id calendly.com Tracks visitor usage and events for Calendly integrations. Analytics 1 year
ajs_user_id Segment Stores identified user ID after login Analytics 1 year
hubspotutk HubSpot Keeps track of a visitor identity. Analytics 2 years
id Google This cookie is used for targeting, analyzing and optimisation of ad campaigns in DoubleClick/Google Marketing Suite Marketing 2 months
initialPathName Figma Store the initial URL path a user visits so the app can restore or adapt navigation flows during the current session. Personalization session
lastExternalReferrer Meta Detects how the user reached the website by registering their last URL-address Marketing persistent
lastExternalReferrerTime Meta Detects how the user reached the website by registering their last URL-address Marketing persistent
LD_APP_SID LeadDyno App session identifier used to track signed-in merchant sessions Functional 30 minutes
LD_H LeadDyno Integrity hash linking visitor activity to lead records Functional Persistent
LD_L LeadDyno Stores identified lead information for affiliate attribution (may contain email address) Advertising Persistent
LD_R LeadDyno Stores referring URL for affiliate attribution tracking Advertising Session
LD_S Google Analytics Stores internal state needed to periodically send visit and lead data for affiliate attribution and marketing analytics. Marketing 5 minutes
LD_S LeadDyno Stores visit session timestamp for affiliate tracking Analytics Session
LD_T Google Analytics Store a unique visitor ID so affiliate clicks, leads and purchases can be linked and commissions attributed. Marketing 100 years
LD_T LeadDyno Visitor identifier used for affiliate and referral attribution Advertising Persistent
LD_U Google Analytics Track and attribute affiliate marketing visits, including initial landing page, to measure campaign performance and payouts. Marketing 13 months
LD_U LeadDyno Stores last visited URL for tracked visitor session Analytics Session
li_adsId LinkedIn Stores a unique visitor identifier used by LinkedIn Ads for conversion tracking and audience matching across sites using the LinkedIn Insight Tag Marketing 30 days
optibaseCachedInitializeResponse-testsfalse-conversionsfalse optibase.io Stores initialization parameters for A/B testing and conversion tracking. Analytics 30 days
optibaseCachedInitializeResponse-teststrue-conversionstrue optibase.io Stores initialization parameters indicating active tests and active conversions. Analytics 30 days
ph_phc_5bpupckWJHmhrnZoZJ8m6EZyAjqL7SMZVClK66wP33M_posthog PostHog Used by PostHog Analytics to get insights into user behavior and track events. Analytics Configurable by customer, default 7 years for events
ph_phc_5bpupckWJHmhrnZoZJ8m6EZyAjqL7SMZVClK66wP33M_primary_window_exists PostHog Used by PostHog Analytics to get insights into user behavior and track events. Analytics Configurable by customer, default 7 years for events
ph_phc_5bpupckWJHmhrnZoZJ8m6EZyAjqL7SMZVClK66wP33M_window_id PostHog Maps events to a specific browser window or tab. Analytics session
rc::a Google Used by Google reCAPTCHA to store internal session analytics and risk scoring data for bot detection Essential Persistent in browser local storage until manually cleared
rc::c Google Used by Google reCAPTCHA to store challenge state and token data Essential Session in local browser storage
reportings_affiliate_daterange LeadDyno Stores reporting date range filter preference Functional Session
reportings_affiliate_status_filter LeadDyno Stores affiliate status filter preference Functional Session
sprig.anon.env.vid.map Sprig Maps anonymous visitor IDs for in-product surveys and product research. Analytics Persistent in browser local storage until manually cleared
sprig.disableReplayRecording Sprig Stores user preferences regarding session replay recording. Analytics Persistent in browser local storage until manually cleared
STATSIG_LOCAL_STORAGE_STABLE_ID Statsig Stores a stable device identifier for Statsig feature flag and experiment assignment Analytics Persistent in browser local storage until manually cleared
statsig.session_id.184042872 Statsig Statsig SDK cache data for feature gates, experiments, and evaluation results Analytics Persistent in browser local storage until manually cleared
statsig.stable_id.184042872 Statsig Statsig SDK cache data for feature gates, experiments, and evaluation results Analytics Persistent in browser local storage until manually cleared
statsig.stable_id.501823423 Statsig Statsig SDK cache data for feature gates, experiments, and evaluation results Analytics Persistent in browser local storage until manually cleared
userleap.ids Sprig Maps anonymous visitor IDs to Sprig environments for consistent user targeting across sessions for in-product surveys Analytics Persistent in browser local storage until manually cleared
VISITOR_INFO1_LIVE YouTube Used as a unique identifier to track viewing of videos and estimate bandwidth usage Marketing 5 months
VISITOR_PRIVACY_METADATA YouTube Stores visitor privacy settings and consent information for personalized advertising Marketing 5 months
YSC YouTube Used to track user interactions and measure advertising effectiveness for embedded videos Marketing session
yt-icons-last-purged youtube Store a timestamp of when YouTube icon assets were last cleared so the embedded player can load interface graphics efficiently and consistently. Personalization persistent
ytidb::LAST_RESULT_ENTRY_KEY YouTube Stores the last search result entry that was clicked by the user to improve the user experience by providing more relevant search results in the future Marketing Persistent in browser local storage until manually cleared
ZD-buid Zendesk Widget Unique browser identifier for the Zendesk chat widget. Analytics 1 year
ZD-suid Zendesk Widget Unique session identifier for the Zendesk chat widget. Analytics 20 mins

7.4  Managing Your Cookie Preferences

You have several options to control or opt out of cookies:

  • Cookie Consent Banner / Consent Management Platform (CMP): When you first visit our Site, a cookie consent banner will appear. You may accept all cookies, reject all non-essential cookies, or customize your preferences by category. Rejecting non-essential cookies is as easy as accepting them - we do not use pre-checked boxes or dark patterns. Your consent preferences are recorded and can be verified for compliance purposes. You can update your preferences at any time by clicking "Cookie Settings" at the bottom left of our website. If you do not interact with the banner, no non-essential cookies will be placed.
  • Browser Controls: Most browsers allow you to block or delete cookies through browser settings. Restricting cookies may affect the functionality of our Site or Services. Visit your browser's help documentation for instructions.
  • Industry Opt-Out Tools: Opt out of interest-based advertising at: optout.networkadvertising.org (NAI); optout.aboutads.info (DAA); youronlinechoices.eu (EDAA, for EU/UK users).
  • Google Analytics Opt-Out: Install the Google Analytics browser add-on at tools.google.com/dlpage/gaoptout.
7.5  Global Privacy Control (GPC)

We recognize and honor the Global Privacy Control (GPC) opt-out preference signal. If your browser or device transmits a GPC signal, we will treat it as a request to opt out of the "sale" and "sharing" of your personal information under applicable law, including for California residents under CCPA/CPRA and for residents of other states that require GPC recognition. Honoring GPC does not disable strictly necessary cookies.

8.  Data Retention

We retain personal information for as long as necessary to fulfill the purposes described in this Policy, subject to any longer retention period required by applicable law. Our retention criteria include:

  • Account data: retained for the duration of your active account, plus 24 months thereafter to allow account reactivation and resolve outstanding billing or legal matters;
  • Transaction and billing records: retained for 7 years as required by tax, accounting, and financial regulations;
  • Support and communications data: retained for 36 months after closure of the inquiry or account;
  • Cookie and analytics data: retained per the lifespan set for each cookie type (see Section 7.2), or as configured in our analytics platforms (typically 13–26 months);
  • Marketing data: retained until you opt out or unsubscribe, plus a brief period to process your request; and
  • Legal hold data: retained as long as necessary to comply with legal obligations, resolve disputes, and enforce our agreements.

When personal information is no longer needed for any of the above purposes, we securely delete or irreversibly anonymize it. Where immediate deletion is technically infeasible (e.g., in backup archives), we isolate the data from further use until deletion is possible.

9.  International Data Transfers

LeadDyno is based in Edina, Minnesota. Our servers, systems, and service providers may be located in the United States and Canada, among other countries. If you access the Services from outside the United States, your personal information may be transferred to, stored in, and processed in the United States and other countries that may not provide the same level of data protection as your country of residence.

9.1  Transfers from the EEA

For transfers of personal data from the EEA to countries not recognized by the European Commission as providing adequate protection, we rely on European Commission Standard Contractual Clauses (SCCs) pursuant to Commission Implementing Decision (EU) 2021/914 (using Controller-to-Processor [Module 2] or Controller-to-Controller [Module 1] clauses as applicable). Copies of our SCCs are available upon request at privacy@sureswiftcapital.com

9.2  Transfers from the United Kingdom

For transfers of personal data from the UK to countries not recognized as adequate by the UK Secretary of State, we rely on the UK International Data Transfer Agreement (IDTA) issued by the Information Commissioner’s Office, or the UK Addendum to the EU Standard Contractual Clauses (as applicable). Copies are available upon request at privacy@sureswiftcapital.com.

9.3  Transfers from Canada (Including Quebec)

For cross-border transfers of personal information from Canada, we implement contractual safeguards to ensure recipients provide a comparable level of protection. For personal information from Quebec, we conduct a Privacy Impact Assessment (PIA / Evaluation des facteurs relatifs à la vie privée — EFVP) prior to any cross-border communication, as required by Quebec Law 25.

10.  Data Security

We implement appropriate technical and organizational security measures designed to protect your personal information against unauthorized access, disclosure, alteration, destruction, or loss, including:

  • Encryption of data in transit using TLS 1.2 or higher;
  • Encryption of sensitive data at rest using industry-standard algorithms;
  • Role-based access controls and the principle of least privilege;
  • Multi-factor authentication (MFA) required for administrative system access;
  • Regular security testing, vulnerability assessments, and penetration testing;
  • Security due diligence of service providers, with Data Processing Agreements (DPAs) for all vendors handling personal data; and
  • Employee and contractor training on data protection, security awareness, and confidentiality obligations.

No security measure is completely impenetrable. If you believe your account or personal information has been compromised, please contact us immediately at privacy@sureswiftcapital.com. In the event of a personal data breach, we will notify affected individuals and relevant regulatory authorities as required by applicable law, including within 72 hours of becoming aware of a reportable breach under GDPR/UK GDPR, and within the timeframes required by applicable U.S. state breach notification laws and Canadian privacy legislation (including Quebec Law 25, which requires notification to the CAI and affected individuals when there is a risk of serious injury).

11.  Children's Privacy

Our Site and Services are not directed to children under the age of 13 (or under 16 where required by applicable law, such as the GDPR) and we do not knowingly collect personal information from children without verified parental or guardian consent. If you are a parent or guardian and believe your child has provided us with personal information without your consent, please contact us immediately at privacy@sureswiftcapital.com and we will promptly delete that information.

We comply with the Children's Online Privacy Protection Act (COPPA) in the United States, the UK Children's Code (Age Appropriate Design Code), applicable GDPR protections for children's personal data, and analogous Canadian requirements. Where we become aware that we have collected personal information from a child without appropriate consent, we will delete it as soon as practicable.

12.  Your Privacy Rights and How to Exercise Them

12.1  California Residents — CCPA/CPRA

If you are a California resident, you have the following rights under the California Consumer Privacy Act (as amended by the California Privacy Rights Act) (“CCPA/CPRA”):

Right What It Means
Right to Know (Categories) Request disclosure of: the categories of personal information we have collected about you; categories of sources; our business/commercial purposes for collecting it; categories of third parties we disclosed it to; and the specific pieces of personal information we hold about you.
Right to Delete Request deletion of personal information we have collected, subject to statutory exceptions (e.g., completing an ongoing transaction, security purposes, legal obligations, fraud detection).
Right to Correct Request that we correct inaccurate personal information we maintain about you.
Right to Opt-Out of Sale / Sharing Opt out of the "sale" of personal information or its "sharing" for cross-context behavioral advertising.
Right to Limit Use of Sensitive PI Request that we limit our use and disclosure of sensitive personal information to purposes expressly permitted by the CPRA (e.g., providing the Services you requested).
Right to Non-Discrimination We will not deny goods or services, charge different prices, or provide a different quality of service because you exercised your CCPA/CPRA rights.
Shine the Light (Cal. Civ. Code §1798.83) Once per calendar year, California residents may request a list of categories of personal information we have shared with third parties for their direct marketing purposes during the prior calendar year. Email privacy@sureswiftcapital.com with subject line "Shine the Light Request."

12.2  EEA and UK Residents — GDPR / UK GDPR

If you are located in the EEA or UK, you have the following rights under the GDPR and/or UK GDPR:

Right What It Means
Right of Access (Art. 15) Obtain confirmation of whether we process your personal data and, if so, receive a copy of that data together with prescribed supplementary information (including purposes, categories, recipients, retention period, and applicable rights).
Right to Rectification (Art. 16) Request correction of inaccurate personal data and completion of incomplete personal data.
Right to Erasure / Right to be Forgotten (Art. 17) Request deletion of your personal data where: it is no longer necessary for its original purpose; you withdraw consent (and there is no other legal basis); you successfully object (see below); or the data has been unlawfully processed.
Right to Restriction (Art. 18) Request suspension of processing in certain circumstances (e.g., while we verify data accuracy or assess an objection).
Right to Data Portability (Art. 20) Receive personal data you provided to us in a structured, commonly used, machine-readable format, and transmit it to another controller (applies where processing is consent- or contract-based and is automated).
Right to Object (Art. 21) Object to processing based on legitimate interests or direct marketing at any time. For direct marketing, we will always honor your objection immediately. For other legitimate interest processing, we will comply unless we can demonstrate compelling overriding legitimate grounds.
Rights re Automated Decision-Making (Art. 22) Not to be subject to decisions based solely on automated processing (including profiling) that produce legal or similarly significant effects on you. We do not use solely automated decision-making that produces legal or similarly significant effects on individuals.
Right to Withdraw Consent Withdraw consent at any time (where processing is consent-based) without affecting the lawfulness of prior processing.
Right to Lodge a Complaint Lodge a complaint with the supervisory authority in your EU Member State of habitual residence, place of work, or where the alleged infringement occurred. UK residents may contact the ICO at ico.org.uk or 0303 123 1113.
12.3  Canadian Residents — PIPEDA and Quebec Law 25

If you reside in Canada, you have the following rights:

  • Right of Access: Request access to the personal information we hold about you and information about how it has been and is being used and disclosed;
  • Right to Correction: Request correction of personal information that is inaccurate or incomplete;
  • Right to Withdraw Consent: Withdraw consent to our collection, use, or disclosure of personal information, subject to legal or contractual restrictions and reasonable notice. Withdrawal may limit our ability to provide certain Services;
  • Right to File a Complaint: File a complaint with the Office of the Privacy Commissioner of Canada (OPC) at priv.gc.ca. Quebec residents may also contact the Commission d'accès à l'information (CAI) at www.cai.gouv.qc.ca

Quebec Law 25 — Specific Disclosures:

  • Our designated Privacy Officer is: Julien Francois, Chief Financial Officer, privacy@sureswiftcapital.com;
  • We conduct Privacy Impact Assessments (PIAs / EFVPs) prior to any cross-border communication of personal information from Quebec;
  • We do not use solely automated processing that produces legal or significant effects on individuals.
12.4  Other U.S. State Residents

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Texas (TDPSA), Montana (MCDPA), Oregon (OCPA), Utah (UCPA), and other states with comprehensive privacy statutes have the rights set out below. Please note that not all rights are available in every state – for example, Utah does not provide a right to correction. 

Right What It Means
Right of Access / Confirmation Confirm whether we process your personal data and obtain a copy of that data.
Right to Correction Request correction of inaccuracies in your personal data.
Right to Deletion Request deletion of personal data you have provided to us or that we have obtained about you.
Right to Portability Obtain personal data in a portable, readily usable format.
Right to Opt-Out Opt out of: (a) the sale of personal data; (b) targeted advertising; and (c) profiling in furtherance of solely automated decisions producing legal or similarly significant effects.
Right to Appeal If we decline your request, you may appeal by emailing privacy@sureswiftcapital.com with subject line "Privacy Rights Appeal - [Name Your State]." We will respond within 45 to 60 days as required by your state. If your appeal is denied, you may contact your State Attorney General.

Nevada Residents (SB 220): Nevada law gives certain residents the right to opt out of the sale of "covered information." We do not "sell" covered information as defined under Nevada law. Contact privacy@sureswiftcapital.com with questions.

12.5  How to Submit a Privacy Rights Request

To exercise any rights described in this Section 12, please use one of the following methods. All request mechanisms are designed to be accessible in accordance with Web Content Accessibility Guidelines (WCAG) 2.1 Level AA. If you need assistance submitting a request due to a disability or require this Policy in an alternative format (e.g., large print, audio, or screen-reader-compatible), please contact us at privacy@sureswiftcapital.com with the subject line: "Privacy Rights Request" or 507-323-9225 and we will provide reasonable accommodations.

12.6  Verification of Identity

To protect your privacy and security, we must verify your identity before fulfilling your request. For account holders, we typically verify through account credentials. For non-account holders or where additional verification is needed, we may request information to reasonably identify you. We use verification information solely to process your request.

12.7  Authorized Agents

You may authorize an agent to submit requests on your behalf. We require written authorization (or a valid power of attorney) and may verify directly with you. California residents may designate an authorized agent by providing the agent with signed, written permission to act on their behalf.

12.8  Response Timeframes
  • California (CCPA/CPRA): 45 calendar days from receipt; extendable by 45 days with notice;
  • EEA/UK (GDPR/UK GDPR): 30 calendar days from receipt; extendable by 2 months with notice in complex cases;
  • Canada (PIPEDA): 30 calendar days from receipt; extendable where permitted;
  • Virginia, Colorado, Connecticut, Oregon: 45 days; extendable by 45 days with notice; Montana: 45 days; extendable by 15 days with notice;
  • Texas, Indiana: 45 days; extendable; and
  • Utah: 45 days; extendable by 45 days with notice.
12.9  Right to Non-Discrimination

We will not discriminate against you for exercising your privacy rights. We will not deny goods or services, charge different prices, or provide a different quality of service because you exercised any right under this Policy, except as permitted by law.

13.  Third-Party Links and Services

Our Site and Services may contain links to third-party websites, platforms, or integrations not operated by us. This Policy does not apply to those third-party services and we are not responsible for their privacy practices. We encourage you to review the privacy policies of any third-party services you access.

Where our Services integrate with third-party platforms (e.g., accounting, CRM, or productivity software), we recommend reviewing those providers' privacy policies to understand how they handle your personal information.

14.  Changes to This Privacy Policy

We may update this Policy periodically to reflect changes in our data practices, technology, or applicable law. When we make material changes, we will:

  • Update the "Effective Date" and "Last Updated" dates at the top of this Policy;
  • Post a prominent notice on our Site and/or within the Services;
  • Where required by applicable law, notify you by email or a notification within the Services prior to the change taking effect, and/or obtain your consent.

We encourage you to review this Policy periodically. Your continued use of the Site or Services after changes become effective constitutes acceptance of the updated Policy to the extent permitted by applicable law. Where applicable law (such as the GDPR or UK GDPR) requires affirmative consent for material changes, we will obtain such consent before the changes take effect. If you do not agree with the updated Policy, you should discontinue use of the Services.

15.  Who We Are and How to Contact Us

For questions, concerns, requests, or complaints about this Policy or our privacy practices, please contact us:

Legal Entity Name: SureSwift Worldwide Inc. dba LeadDyno
Website: https://www.leaddyno.com
Mailing: 5201 Eden Avenue, Suite 300
Edina, MN 55436
Attn: Privacy Officer
Privacy Contact Email: privacy@sureswiftcapital.com
Quebec Privacy Officer: Privacy Officer is: Julien Francois, Chief Financial Officer, privacy@sureswiftcapital.com


15.1  Supervisory Authorities

You also have the right to contact your relevant data protection supervisory authority:

  • EU Residents: The supervisory authority in your EU Member State of habitual residence, place of work, or where the alleged infringement occurred;
  • UK Residents: Information Commissioner's Office (ICO) – www.ico.org.uk | 0303 123 1113 | Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF;
  • Canadian Residents (Federal): Office of the Privacy Commissioner of Canada (OPC) – www.priv.gc.ca;
  • Quebec Residents: Commission d'acces a l'information (CAI) – www.cai.gouv.qc.ca;
  • California Residents: California Privacy Protection Agency (CPPA) – www.cppa.ca.gov; and  
  • Other U.S. State Residents: Your applicable State Attorney General's office.

Appendix A:
Key Definitions

Term Definition
CCPA/CPRA California Consumer Privacy Act (Cal. Civ. Code §1798.100 et seq.), as amended by the California Privacy Rights Act (Prop. 24), fully effective January 1, 2023
Controller The entity that determines the purposes and means of processing personal data
COPPA Children's Online Privacy Protection Act (15 U.S.C. §§6501-6506)
EEA European Economic Area: the 27 EU member states plus Iceland, Liechtenstein, and Norway
GDPR EU General Data Protection Regulation (EU) 2016/679
GPC Global Privacy Control: a browser/device opt-out preference signal for data sale and sharing
IDTA International Data Transfer Agreement: UK mechanism for compliant international personal data transfers, issued by the ICO
LIA Legitimate Interests Assessment: a documented balancing test performed under GDPR Art. 6(1)(f)
Personal Information / Personal Data Information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked to an identified or identifiable natural person
PIA / EFVP Privacy Impact Assessment / Évaluation des facteurs relatifs à la vie privée: assessment required under Quebec Law 25 before cross-border transfers
PIPEDA Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 (Canada)
Processor / Service Provider An entity that processes personal data on behalf of and under the instructions of a controller
Quebec Law 25 Act to Modernize Legislative Provisions Respecting the Protection of Personal Information (S.Q. 2021, c. 25)
SCCs Standard Contractual Clauses: European Commission-approved contractual safeguards for international data transfers (Commission Implementing Decision (EU) 2021/914)
Sensitive Personal Information CPRA: SSN, driver's license/passport numbers, financial account credentials, precise geolocation, racial/ethnic origin, religious beliefs, union membership, health data, biometric identifiers, sexual orientation, private communications. GDPR Art. 9: racial/ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, sex life or sexual orientation.
UK GDPR The GDPR as retained in UK domestic law by the European Union (Withdrawal) Act 2018 and the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019

Appendix B:
State-Specific Supplemental Disclosures

B.1  Colorado (Colorado Privacy Act – CPA, C.R.S. §6-1-1301 et seq.)

Colorado residents have rights of access, correction, deletion, portability, and opt-out of sale, targeted advertising, and profiling. To appeal a denied request, email privacy@sureswiftcapital.com with "Colorado Privacy Appeal" in the subject line within 45 days of our response. We will respond to the appeal within 45 days. If your appeal is denied, you may contact the Colorado Attorney General at coag.gov/file-complaint.

B.2  Connecticut (Connecticut Data Privacy Act – CTDPA, Conn. Gen. Stat. §42-515 et seq.)

Connecticut residents have rights of access, correction, deletion, portability, and opt-out. To appeal a denied request, email privacy@sureswiftcapital.com with "Connecticut Privacy Appeal" in the subject line. We will respond within 60 days. If denied, contact the Connecticut Attorney General at ct.gov/ag.

B.3  Virginia (Consumer Data Protection Act – VCDPA, Va. Code §§59.1-575 et seq.)

Virginia residents have rights of access, correction, deletion, portability, and opt-out. To appeal, email privacy@sureswiftcapital.com with "Virginia Privacy Appeal" in the subject line within 45 days of our response; we will respond within 60 days. If denied, contact the Virginia Attorney General at oag.state.va.us.

B.4  Texas (Texas Data Privacy and Security Act – TDPSA, Tex. Bus. & Com. Code §541 et seq.)

Texas residents have rights of access, correction, deletion, portability, and opt-out. To appeal, email privacy@sureswiftcapital.com with "Texas Privacy Appeal" in the subject line. We will respond within 45 days. If denied, contact the Texas Attorney General at www.texasattorneygeneral.gov.

B.5  Oregon (Oregon Consumer Privacy Act – OCPA, Or. Rev. Stat. §646A.570 et seq.)

Oregon residents have rights of access, correction, deletion, portability, and opt-out. To appeal, email privacy@sureswiftcapital.com with "Oregon Privacy Appeal" in the subject line. If denied, contact the Oregon Attorney General at doj.state.or.us.

B.6  Montana (Montana Consumer Data Privacy Act – MCDPA, Mont. Code Ann. §30-14-3201 et seq.)

Montana residents have rights of access, correction, deletion, portability, and opt-out. To appeal a denied request, email privacy@sureswiftcapital.com with "Montana Privacy Appeal" in the subject line; we will respond within 45 days.

B.7  Utah (Utah Consumer Privacy Act –UCPA, Utah Code §13-61-101 et seq.)

Utah residents have rights of access, deletion, portability, and opt-out of sale of personal data and targeted advertising. Response time: 45 days, extendable by 45 days with notice. Submit requests using the methods in Section 12.5.

B.8  Delaware, Indiana, Iowa, Tennessee, and Other Enacting States

We will comply with all enacted comprehensive U.S. state privacy laws as they come into effect, including but not limited to laws in Delaware, Indiana, Iowa, Tennessee, New Hampshire, New Jersey, Nebraska, Kentucky, Maryland, Minnesota, and Rhode Island. If your state has enacted such a law and it covers our processing activities, you may exercise your applicable rights using the methods described in Section 12.5. Contact us at privacy@sureswiftcapital.com and we will respond in accordance with your applicable rights and the timeframes required by your state's law.