Privacy Policy
Effective Date: May 13, 2026 · Last Updated: May 13, 2026 · Version: 1.2
This Privacy Policy explains how CI Web Group, Inc. (“CI Web Group,” “we,” “us,” or “our”) collects, uses, shares, and protects personal information when you visit any website operated by CI Web Group, including https://ciwebgroup.com, https://getstarted.ciwebgroup.com, and any other ciwebgroup.com subdomain operated by CI Web Group (collectively, the “Sites”), or use our services, platforms, and AI tools (the “Services”). It also describes the rights you have under U.S. state privacy laws, the EU/UK GDPR, and other applicable laws.
This Privacy Policy does not apply to client-owned websites or client-operated properties (including websites hosted on Hydra OS under a client’s own domain), which are governed by the client’s own privacy policy.
If you are a resident of California, the EU/UK, or another jurisdiction with specific rights, see Sections 9–11 below.
1. Notice at Collection (California Residents)
At the point we collect personal information from you, we are providing the notice required by Cal. Civ. Code § 1798.100(b). The categories of personal information we collect, the purposes for which we use them, and whether we “sell” or “share” them are summarized in the table in Section 3. We do not sell personal information for monetary consideration. We may “share” personal information for cross-context behavioral advertising as defined under CPRA when our advertising and analytics pixels are active; you have the right to opt out (see Section 9).
2. Who We Are; Contact
Data Controller: CI Web Group, Inc., a Texas corporation.
Mailing Address: CI Web Group, Inc., Attn: Privacy, 3120 PMB 92129, Suite 100, Houston, Texas 77098
Phone: (877) 839-1122
Email: [email protected]
EU/UK residents may also contact our designated EU/UK representative (see Section 10).
3. Personal Information We Collect
We collect personal information in the following categories. Categories track the CCPA/CPRA framework and apply broadly to all visitors and Clients across the Sites.
| Category | Examples | Sources | Purposes | Disclosed to |
|---|---|---|---|---|
| Identifiers | Name, email, phone, account ID, IP address | You; cookies; service providers | Account, billing, support, communications | Sub-processors; service providers |
| Customer records | Billing address, payment-card token | You; Stripe | Billing, fraud prevention | Stripe; accounting providers |
| Commercial info | Services purchased, transaction history, MSA/SOW data | You; our systems | Service delivery, account management | Sub-processors |
| Internet/electronic activity | Pages viewed, clicks, referrer, device/browser, session recordings | Cookies, pixels, server logs, Microsoft Clarity | Analytics, performance, security, ads | Analytics providers; ad networks |
| Geolocation (general) | City/region inferred from IP | Server logs | Localization, fraud prevention | Sub-processors |
| Audio/visual | Voice calls, SMS, screen/session recordings, support video | Twilio; Microsoft Clarity; you | Support, training (de-identified), recordkeeping | Sub-processors |
| Professional/employment | Job title, company, role | You | Lead qualification, account context | CRM provider |
| Inferences | Buyer signals, segment, engagement scores | Our systems | Marketing, account-management decisions | None outside service providers |
| Sensitive info (CPRA) | Account credentials | You | Authentication only | None |
We do not intentionally collect: government IDs, precise geolocation, biometric data, health information, immigration status, sexual orientation, race/ethnicity, religious beliefs, or union membership. Do not submit such information through the Sites.
4. How We Collect Information
- Directly from you when you submit a form, create an account, sign an MSA/SOW, or communicate with us.
- Automatically through cookies, web beacons, pixels, server logs, and session-replay tools when you visit the Sites.
- From service providers such as Stripe, Twilio, SendGrid, our CRM, and our hosting/infrastructure providers.
- From AI Providers when AI Output relates to your account (we receive metadata and tokens-consumed data, not the substance of other customers’ prompts).
- From public sources including business directories and public records, used for lead enrichment.
5. Cookies, Pixels, and Tracking Technologies
The Sites use cookies and similar technologies. The current cookie table is below. Browser settings allow you to block or delete cookies; doing so may impair Site functionality.
| Cookie / technology | Type | Purpose | Retention |
|---|---|---|---|
| Strictly necessary (session, auth, CSRF) | First-party | Site operation, security | Session or up to 1 year |
| Preferences | First-party | Remember your settings | Up to 1 year |
| Google Analytics | First-party / third-party | Site analytics | Up to 14 months |
| Google Ads / Floodlight | Third-party | Advertising, conversion tracking | Up to 24 months |
| Meta Pixel | Third-party | Advertising, conversion tracking | Up to 24 months |
| LinkedIn Insight Tag | Third-party | Advertising, conversion tracking | Up to 24 months |
| TikTok Pixel | Third-party | Advertising, conversion tracking | Up to 13 months |
| Microsoft Clarity | Third-party | Session replay, heatmaps, UX | Up to 13 months |
| Server-side conversion APIs | Server-to-server | Conversion attribution | Per provider |
Session-replay disclosure. Microsoft Clarity records mouse movements, clicks, scrolls, and page interactions on the Sites. Clarity uses masking by default to obscure typed input in form fields. By using the Sites, you consent to such recording where required. If you do not consent, please exit the Sites.
Do Not Track / Global Privacy Control. Our Sites respond to recognized Global Privacy Control (“GPC”) signals as an opt-out request from California residents and from residents of other states whose laws recognize GPC. We do not currently respond to the Do Not Track browser header because there is no industry consensus on its meaning. We are working to expand consent infrastructure (including a consent banner) in the near term; until then, you may opt out of advertising/analytics tracking through the means described in Section 9.
6. How We Use Personal Information
We use personal information to:
- Provide, operate, and support the Services;
- Authenticate users and secure the Sites;
- Process payments and manage accounts;
- Communicate with you about your account, transactions, and support requests;
- Send marketing communications you have consented to (or that are permitted by law), which you may opt out of at any time;
- Improve, develop, and personalize the Services;
- Detect, prevent, and respond to fraud, abuse, and security incidents;
- Comply with legal obligations and enforce our agreements;
- Aggregate or de-identify data, after which it is no longer personal information.
7. AI Processing of Personal Information
CI Web Group leverages multiple artificial intelligence systems extensively throughout its operations, including in the design, development, and maintenance of Hydra OS and other CI Web Group platforms, content production, audits, analyses, research, strategy, planning, design work, code generation, and quality review. Certain Services route prompts, inputs, and outputs through CI Web Group’s proprietary systems and through third-party AI Providers (currently including OpenAI, Anthropic, and Google).
- No training on customer data. Per the data-processing agreements we maintain with our AI Providers, customer prompts and outputs submitted through the Services are not used to train their foundation models.
- Sub-processor processing. AI Providers process inputs on our behalf as sub-processors, subject to their published terms and applicable security and confidentiality commitments.
- Logging. AI Providers may retain prompts and outputs for short-term abuse-monitoring purposes (typically 30 days or less; see each provider’s terms).
- Output review. AI Output may include errors, fabrications, or third-party content. Do not submit sensitive personal data into AI inputs unless required and appropriate.
- Internal AI use. AI assistance may be used in producing any deliverable, audit, analysis, or other content provided to you, whether or not the AI assistance is visible. The disclaimers in the Terms of Service apply to all such AI Output.
8. How We Share Personal Information
We share personal information with:
- Service providers and sub-processors acting on our behalf under contract, including (as of the effective date): Stripe (payments), Twilio (SMS/voice), SendGrid (email), Google (Workspace, Analytics, Ads, Gemini), Meta (advertising), LinkedIn (advertising), TikTok (advertising), Microsoft (Clarity, Azure), Amazon Web Services / Cloudflare (infrastructure), Supabase (data layer), OpenAI, Anthropic, and our CRM provider.
- Advertising and analytics partners who collect information directly through pixels and cookies described in Section 5. Under CPRA, this constitutes “sharing” for cross-context behavioral advertising; you may opt out (Section 9).
- Legal authorities when required by law, subpoena, court order, or to protect rights, safety, and property.
- In a corporate transaction such as a merger, acquisition, financing, or asset sale, subject to confidentiality.
- With your consent for any other purpose disclosed at the time.
We do not sell personal information for monetary consideration.
9. California Residents — CCPA / CPRA Rights
If you are a California resident, you have the right to: know what personal information we collect, use, disclose, sell, or share; access a copy of your personal information; delete personal information, subject to legal exceptions; correct inaccurate personal information; limit use of sensitive personal information; opt out of sale or sharing for cross-context behavioral advertising; and non-discrimination for exercising your rights.
How to exercise. Submit a request to [email protected] with the subject “California Privacy Request” or use the “Do Not Sell or Share My Personal Information” link in our footer. We will respond within forty-five (45) days; we may extend by an additional forty-five (45) days with notice. We will verify your identity through your account or by matching identifying information. You may designate an authorized agent with written authorization. A recognized GPC signal sent from your browser is treated as an opt-out of sale/sharing for that browser/device. We do not offer financial incentives for personal information.
10. EU/UK/EEA Residents — GDPR Rights
If you are in the EU, UK, or EEA, CI Web Group is the controller of personal data described in this Policy unless we are processing on behalf of a Client (in which case the Client is controller and we are processor).
Legal bases. We process personal data on these legal bases: (a) contract — to provide the Services you requested; (b) legitimate interests — to operate, secure, and improve our business; (c) consent — for non-essential cookies and marketing where required; (d) legal obligation — to comply with law.
Your rights: access, rectification, erasure, restriction, portability, objection, and the right to withdraw consent at any time without affecting prior processing. You also have the right to lodge a complaint with a supervisory authority in the EU/UK. We transfer personal data to the United States and other jurisdictions, relying on Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum, and supplementary measures as appropriate. EU/UK residents may contact us at [email protected].
11. Other State Privacy Laws
Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), and Texas (TDPSA) have rights substantially similar to those described in Section 9, including access, deletion, correction, portability, and opt-out of targeted advertising and “sale.” To exercise these rights, contact [email protected]. We will respond within the time period required by the applicable state law (typically forty-five (45) days). Where required, an appeal process is available; appeals may be sent to [email protected].
12. Children’s Privacy
The Services are not directed to children under sixteen (16) and we do not knowingly collect personal information from anyone under sixteen. If you believe a child has provided personal information to us, contact [email protected] and we will delete it.
13. Retention
We retain personal information for as long as needed to provide the Services, comply with legal obligations, resolve disputes, and enforce agreements. Typical retention periods:
- Account data — for the life of the account, plus seven (7) years for tax/accounting;
- Billing records — seven (7) years;
- Support tickets and communications — three (3) years;
- Web analytics — fourteen (14) months;
- Session recordings — thirteen (13) months;
- Security logs — twelve (12) months;
- Marketing lists — until opt-out plus a short suppression period.
14. Security
We use commercially reasonable administrative, technical, and physical safeguards including TLS in transit, encryption at rest for sensitive stores, access controls, logging, multi-factor authentication for staff, and regular review. No system is perfectly secure; we do not warrant absolute security.
15. Breach Notification
If we determine a security incident has resulted in unauthorized access to or acquisition of your personal information, we will notify you and applicable regulators as required by law and without unreasonable delay.
16. Marketing Communications & Text Messaging (SMS)
You may unsubscribe from marketing email via the link in any message or by contacting [email protected]. Transactional and service-related messages may continue.
SMS/text messaging program. If you provide your mobile number and opt in — for example, by checking the SMS consent box on a form on our Sites — you agree to receive recurring text messages from CI Web Group related to your inquiry, your account, appointments, and, where you have separately consented, marketing. Message frequency varies. Message and data rates may apply. Reply STOP to unsubscribe at any time, or HELP for help. Consent to receive text messages is not a condition of any purchase.
No sharing of mobile opt-in data. Mobile phone numbers and SMS consent collected for text-messaging purposes will not be shared with, sold, or rented to third parties or affiliates for their own marketing or promotional purposes. Mobile numbers may be disclosed only to the messaging service providers (such as Twilio) that operate the texting program on our behalf, solely to deliver the messages you requested. No mobile information is shared with third parties or affiliates for marketing purposes.
17. Third-Party Sites and Services
The Sites may link to third-party websites and tools. We are not responsible for their practices. Review their policies before providing personal information.
18. Changes to This Policy
We may update this Policy by posting a revised version with a new “Last Updated” date. Material changes will be communicated by email or in-product notice not less than thirty (30) days before they take effect.
19. Data Processing Addendum
A Data Processing Addendum (DPA) is available to Clients on request by contacting [email protected]. Where required by law, the DPA will be executed prior to processing personal data of EU/UK/EEA data subjects.
20. Contact
CI Web Group, Inc.
Privacy Team
3120 PMB 92129, Suite 100
Houston, Texas 77098
Phone: (877) 839-1122
Email: [email protected]