Privacy Policy

1. Introduction and Data Controller

This Privacy Policy describes how DMG L&D, LLC ("Company," "we," "our," or "us") collects, uses, stores, shares, and protects your personal information when you access or use the sneyk platform, website, API, and all related services (collectively, the "Service") available at sneyk.com.

DMG L&D, LLC is the data controller responsible for your personal information. For the purposes of the EU General Data Protection Regulation ("GDPR"), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), and all other applicable privacy legislation, the data controller is:

By accessing or using the Service, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy. If you do not agree with any part of this Privacy Policy, you must immediately discontinue use of the Service.

This Privacy Policy applies to all users of the Service, including visitors, registered account holders, API consumers, and subscribers, regardless of geographic location.

2. Information We Collect

2.1 Personal Information You Provide Directly

When you register for an account, subscribe to a plan, or otherwise interact with our Service, we collect:

• Identifiers: Full name, email address, username
• Account credentials: Password (stored only in irreversibly hashed form using industry-standard algorithms; we never store plaintext passwords)
• Billing and commercial information: Subscription plan, payment method details, transaction history, invoices (full payment card numbers are processed and stored exclusively by Stripe, Inc.; we receive only the last four digits, card brand, and expiration date)
• Professional information: Company name, industry, and job title if voluntarily provided
• Communication data: Messages sent through our contact form, support requests, and email correspondence
• Consent records: Your cookie and privacy consent preferences, including timestamps and version identifiers, which are logged for GDPR/CCPA audit trail purposes

2.2 Information Collected Automatically

When you access the Service, we automatically collect the following through server logs and tracking technologies:

• Internet and network activity: IP address, browser type and version, operating system, referring URL, pages visited, features accessed, search queries and filters used, click patterns, and session duration
• Device information: Device type, screen resolution, language preferences, and time zone
• API usage data: API endpoints called, request timestamps, response codes, rate limit consumption, and API key identifiers
• Geolocation data: Approximate geographic location inferred from your IP address (we do not collect precise GPS-based geolocation)

2.3 Sources of Personal Information

We collect personal information from the following sources:

• Directly from you: Account registration, subscription forms, contact forms, support requests, and any voluntary profile information you provide
• Automatically from your device: Through cookies, web server logs, and analytics technologies when you interact with the Service
• From our service providers: Stripe (payment confirmation and subscription status), Amazon Web Services (infrastructure logs), and analytics providers (aggregated usage metrics)

2.4 Cookies, Local Storage, and Tracking Technologies

We use cookies, browser local storage, and similar technologies. Non-essential cookies and tracking technologies are blocked by default and are only activated after you provide affirmative consent through our cookie consent banner. You may modify your preferences at any time by clicking "Cookie Preferences" in the footer of any page. Specifically:

• Essential cookies and local storage: Required for authentication (session token), security (CSRF protection), and remembering your user preferences such as theme (dark/light mode) and sidebar state. These cannot be disabled as they are strictly necessary for the Service to function.
• Performance cookies: Amazon CloudWatch Real User Monitoring (RUM) for error detection, page load performance metrics, and client-side error tracking. Only activated with your explicit consent.
• Analytics cookies: Google Analytics (with IP anonymization enabled) and Plausible Analytics for understanding traffic sources, page views, and aggregate usage patterns. Data collected by analytics providers is anonymized or pseudonymized. Only activated with your explicit consent.

We also use Google Consent Mode v2, which ensures that Google tags respect your consent choices. When analytics consent is denied, Google Analytics does not set cookies and does not collect identifiable data.

Your cookie consent preferences are stored in your browser's local storage and summarized in a first-party cookie (cookie_consent) for server-side reading. Consent decisions are also transmitted to our server and logged with a timestamp for regulatory audit trail compliance.

2.5 Sensitive Personal Information

We do not intentionally collect sensitive personal information as defined under CPRA (e.g., Social Security numbers, precise geolocation, racial or ethnic origin, religious beliefs, genetic data, biometric identifiers, health information, sexual orientation, or contents of private communications). If we inadvertently receive sensitive personal information, we will delete it promptly upon discovery. Our Service is a business intelligence platform for publicly available Florida corporate filings and does not require or request sensitive personal information from users.

3. How We Use Your Information

We process your personal information for the following specific purposes, each linked to a lawful basis under applicable law:

• Service delivery and account management: To create and manage your account, authenticate your identity, provide access to platform features, process search queries, generate exports, and deliver API responses. (Legal basis: performance of a contract)
• Payment processing and billing: To process subscription payments through Stripe, issue invoices, manage plan upgrades and downgrades, and handle refunds. (Legal basis: performance of a contract)
• Service communications: To send transactional emails including account activation, password resets, subscription confirmations, usage alerts, and security notifications. (Legal basis: performance of a contract; legitimate interest)
• Platform improvement and analytics: To analyze aggregate usage patterns, diagnose technical issues, monitor performance, and improve the Service. (Legal basis: legitimate interest)
• Security and fraud prevention: To detect and prevent unauthorized access, abuse, and fraudulent activity, enforce rate limits, and maintain the integrity of the Service. (Legal basis: legitimate interest; legal obligation)
• Legal compliance: To comply with applicable laws, regulations, legal processes, or enforceable governmental requests, and to establish, exercise, or defend legal claims. (Legal basis: legal obligation; legitimate interest)
• Marketing communications: To send promotional content, product updates, and newsletters, only with your explicit prior consent. You may withdraw consent at any time by clicking the unsubscribe link in any marketing email or by updating your communication preferences in your account settings. (Legal basis: consent)

We do not engage in automated decision-making or profiling that produces legal effects or similarly significant effects on you. Our platform does not make automated decisions about pricing, creditworthiness, employment eligibility, or any other consequential determination based on your personal data.

4. Information Sharing and Disclosure

We do not sell, rent, trade, or otherwise transfer your personal information to third parties for monetary or other valuable consideration. We share personal information only in the following limited circumstances:

4.1 Service Providers (Processors)

We engage the following categories of third-party service providers who process personal information on our behalf under written data processing agreements that restrict their use of data to the specific services they provide to us:

• Cloud infrastructure: Amazon Web Services, Inc. (AWS) — hosting, data storage (S3), compute (EC2), email delivery (SES), content delivery (CloudFront), performance monitoring (CloudWatch RUM). Data is processed and stored in the United States (us-east-1 region).
• Payment processing: Stripe, Inc. — payment card processing, subscription management, invoicing. Stripe is a PCI DSS Level 1 certified service provider. Stripe's privacy practices are governed by the Stripe Privacy Policy.
• Analytics: Google LLC (Google Analytics with IP anonymization) and Plausible Insights OÜ (Plausible Analytics, a privacy-focused analytics provider that does not use cookies and does not collect personal data). Analytics are only active when you have consented to analytics cookies.
• Domain and DNS: Namecheap, Inc. or Amazon Route 53 — domain registration and DNS resolution.

4.2 Legal Requirements

We may disclose your personal information if we believe in good faith that disclosure is necessary to: (a) comply with a legal obligation, regulation, subpoena, court order, or other enforceable governmental request; (b) enforce our Terms of Service or other agreements; (c) protect the rights, property, or personal safety of DMG L&D, LLC, our users, or the public; or (d) detect, prevent, or otherwise address fraud, security, or technical issues.

4.3 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, receivership, or sale of all or a portion of our assets, your personal information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our website of any change in ownership or uses of your personal information, as well as any choices you may have regarding your personal information, before the transfer occurs.

4.4 With Your Consent

We may share your personal information for purposes not described in this Privacy Policy only with your explicit prior consent.

4.5 Aggregate and De-Identified Data

We may share aggregated, de-identified, or anonymized data that cannot reasonably be used to identify you. Such data is not considered personal information under applicable privacy laws.

5. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes for which it was collected, to comply with legal obligations, to resolve disputes, and to enforce our agreements. Specific retention periods by data category:

• Account data (name, email, credentials): Retained for the duration of your active account. Upon account deletion, personal data is purged within 30 days, except as required by law.
• Billing and transaction records: Retained for 7 years from the date of the transaction to comply with tax, accounting, and financial reporting obligations.
• Server and API access logs: Retained for 90 days for security monitoring and debugging, then automatically deleted.
• Usage analytics data: Retained in aggregated, non-identifiable form for up to 24 months for platform improvement purposes.
• Support correspondence: Retained for 2 years from the date of the last communication, or longer if related to an unresolved dispute.
• Cookie consent records: Retained for the duration required by applicable law (minimum 3 years under GDPR guidance) for audit trail and compliance purposes.
• Marketing consent records: Retained for 3 years after consent is withdrawn, to demonstrate prior lawful processing.

When retention periods expire, personal data is securely deleted or irreversibly anonymized using industry-standard methods. You may request earlier deletion of your data by exercising your rights as described in Section 8 of this Privacy Policy.

6. Data Security

We implement appropriate technical and organizational security measures designed to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include, but are not limited to:

• Encryption of all data in transit using TLS 1.2 or higher
• Encryption of data at rest using AES-256 (via AWS S3 server-side encryption and RDS encryption)
• Passwords stored using irreversible cryptographic hashing with per-user salts
• Two-factor authentication (2FA) available for all user accounts
• Role-based access controls restricting internal access to personal data on a need-to-know basis
• Regular security assessments and vulnerability scanning
• Automated monitoring and alerting for suspicious activity
• Incident response procedures documented and tested regularly

While we take reasonable precautions to protect your information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security, but we are committed to promptly addressing any security incident.

6.1 Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will: (a) notify the relevant supervisory authority without undue delay and, where feasible, no later than 72 hours after becoming aware of the breach, as required under GDPR Article 33; (b) notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms, as required under GDPR Article 34; and (c) notify affected individuals in accordance with applicable US state breach notification laws. Notification will be provided via email to the address associated with your account and, where appropriate, through a prominent notice posted on our website. The notification will describe the nature of the breach, the categories and approximate number of records affected, the likely consequences, and the measures taken or proposed to address the breach.

7. International Data Transfers

The Service is operated from the United States. Your personal information is processed and stored on servers located in the United States (specifically, the AWS us-east-1 region). If you access the Service from outside the United States, including from the European Economic Area ("EEA"), the United Kingdom ("UK"), Switzerland, Canada, or Brazil, your information will be transferred to, stored in, and processed in the United States.

For transfers of personal data from the EEA, UK, or Switzerland to the United States, we rely on the following legal mechanisms to ensure adequate protection: (a) the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework, where applicable; (b) Standard Contractual Clauses (SCCs) as adopted by the European Commission (Commission Implementing Decision (EU) 2021/914), executed with our service providers; and (c) supplementary measures including encryption and access controls, informed by transfer impact assessments.

By using the Service, you acknowledge and consent to the transfer, processing, and storage of your personal information in the United States as described in this Privacy Policy.

8. Your Privacy Rights

Depending on your jurisdiction and applicable law, you may have some or all of the following rights with respect to your personal information:

• Right of access: Request confirmation of whether we process your personal information and obtain a copy of the specific pieces of personal information we hold about you.
• Right to rectification/correction: Request correction of inaccurate or incomplete personal information.
• Right to erasure/deletion: Request deletion of your personal information, subject to exceptions for legal obligations, dispute resolution, or contract performance.
• Right to data portability: Request a copy of your personal information in a structured, commonly used, machine-readable format (e.g., JSON or CSV), and request that we transmit it to another controller where technically feasible.
• Right to restrict processing: Request that we limit our processing of your personal information in certain circumstances (e.g., while we verify accuracy of contested data).
• Right to object: Object to processing of your personal information based on legitimate interests, including for direct marketing purposes. Where you object to direct marketing, we will cease processing without exception.
• Right to withdraw consent: Where processing is based on your consent, you may withdraw consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.
• Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority in your jurisdiction. EEA residents may file a complaint with their local Data Protection Authority. UK residents may contact the Information Commissioner's Office (ICO).

8.1 How to Exercise Your Rights

You may exercise your rights through any of the following methods:

• Email: Send your request to [email protected]
• Contact form: Submit a request through our Contact page
• Account settings: Certain rights (such as data export and account deletion) may be exercised directly through your account dashboard

We will verify your identity before processing your request by matching information you provide against our existing records. For GDPR requests, we will respond within 30 days. For CCPA/CPRA requests, we will respond within 45 days. These response periods may be extended once by an equal period where necessary due to the complexity or volume of requests, and we will notify you of any such extension.

8.2 Account Deletion

You may request full deletion of your account and associated personal data at any time by emailing [email protected] or through your account settings. Upon receiving a verified deletion request, we will delete your personal data within 30 days, except for data we are required to retain by law (e.g., billing records retained for 7 years per tax obligations). We will confirm the completion of your deletion request via email.

9. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, "CCPA/CPRA"). This section supplements the rest of this Privacy Policy with information specific to California residents.

9.1 Categories of Personal Information Collected

In the preceding 12 months, we have collected the following categories of personal information as defined by the CCPA:

• Identifiers: Name, email address, IP address, account username
• Commercial information: Subscription plan, transaction history, payment records
• Internet or other electronic network activity: Browsing history on our platform, search queries, pages visited, API usage, interaction with our website
• Geolocation data: Approximate location inferred from IP address
• Professional or employment-related information: Company name, industry, job title (if voluntarily provided)
• Inferences drawn from the above: User preferences (theme, sidebar state) and usage patterns for platform improvement

9.2 Sale and Sharing of Personal Information

We do not sell your personal information.We have not sold personal information in the preceding 12 months and have no plans to do so. We do not "share" your personal information for cross-context behavioral advertising as defined by the CPRA. Because we do not sell or share personal information, a "Do Not Sell or Share My Personal Information" link is not required; however, if our practices change, we will update this policy and provide the required link and opt-out mechanism.

9.3 Sensitive Personal Information

We do not collect or process sensitive personal information as defined under CPRA Section 1798.140(ae), including Social Security numbers, driver's license numbers, financial account numbers with access credentials, precise geolocation, racial or ethnic origin, religious beliefs, union membership, contents of private communications, genetic data, biometric data, health information, or sex life/sexual orientation data.

9.4 Your California Rights

As a California resident, you have the right to:

• Right to know: Request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share it.
• Right to delete: Request deletion of personal information we have collected from you, subject to certain legal exceptions.
• Right to correct: Request correction of inaccurate personal information we maintain about you.
• Right to opt-out of sale/sharing: Although we do not sell or share personal information, you may contact us at any time to confirm this.
• Right to limit use of sensitive personal information: Although we do not collect sensitive personal information, you may contact us to confirm this.
• Right to non-discrimination: We will not deny you goods or services, charge you different prices, provide a different level or quality of service, or suggest that you will receive a different price or rate for exercising any of your CCPA/CPRA rights.

To exercise your California privacy rights, email [email protected] or use our contact form. We will respond to verifiable consumer requests within 45 days. You may also designate an authorized agent to submit requests on your behalf; we will require proof of authorization and may still verify your identity directly.

9.5 Global Privacy Control

We honor Global Privacy Control (GPC) signals. If your browser or device transmits a GPC signal, we will treat it as a valid opt-out request for the sale or sharing of personal information as required by the CCPA/CPRA, even though we do not currently sell or share personal information.

10. European and UK Privacy Rights (GDPR/UK GDPR)

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have rights under the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the UK GDPR. This section supplements the rest of this Privacy Policy for EEA, UK, and Swiss residents.

10.1 Lawful Basis for Processing

We process your personal data under the following lawful bases:

• Performance of a contract (Art. 6(1)(b)): Processing necessary to provide the Service, manage your account, process subscriptions, deliver search results, and provide API access.
• Legitimate interests (Art. 6(1)(f)): Processing for platform security, fraud prevention, service improvement, analytics (in aggregate), and internal administration. We have conducted balancing tests to ensure our legitimate interests do not override your fundamental rights.
• Legal obligation (Art. 6(1)(c)): Processing required by law, such as tax record retention and responding to lawful government requests.
• Consent (Art. 6(1)(a)): Processing based on your freely given, specific, informed consent, including non-essential cookies (performance and analytics), marketing emails, and any future optional processing activities. You may withdraw consent at any time.

10.2 Your GDPR Rights

In addition to the rights described in Section 8, you have the right to: (a) request a copy of the Standard Contractual Clauses or other safeguards we use for international data transfers; (b) lodge a complaint with your local Data Protection Authority (a list of EEA DPAs is available at edpb.europa.eu); and (c) for UK residents, lodge a complaint with the Information Commissioner's Office at ico.org.uk.

11. Other US State Privacy Rights

In addition to California, residents of the following US states have privacy rights under their respective state laws, including but not limited to: Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), Delaware (DPDPA), Iowa (ICDPA), Tennessee (TIPA), Indiana (ICDPA), and other states that have enacted comprehensive consumer privacy legislation.

If you reside in one of these states, you generally have the right to: (a) confirm whether we are processing your personal data; (b) access your personal data; (c) correct inaccuracies in your personal data; (d) delete your personal data; (e) obtain a portable copy of your personal data; and (f) opt out of the processing of your personal data for targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects.

We do not sell personal data, engage in targeted advertising based on personal data, or profile consumers for decisions producing legal or similarly significant effects. To exercise your state privacy rights, contact us at [email protected]. If we decline your request, you may appeal the decision by contacting us at the same email address with the subject line "Privacy Rights Appeal."

12. Children's Privacy

The Service is not directed to and is not intended for use by children under the age of 16. We do not knowingly collect personal information from children under 16. If you are a parent or guardian and believe that your child has provided us with personal information, please contact us immediately at [email protected]. If we become aware that we have collected personal information from a child under 16 without verified parental consent, we will take immediate steps to delete that information from our systems.

The age threshold of 16 applies to ensure compliance with both the US Children's Online Privacy Protection Act (COPPA, which applies to children under 13) and the GDPR (which allows member states to set the age of digital consent between 13 and 16).

13. Third-Party Links and Services

The Service may contain links to third-party websites, applications, or services that are not operated or controlled by us, including links to Stripe's payment portal, analytics dashboards, and external resources. This Privacy Policy does not apply to any third-party sites or services. We are not responsible for the privacy practices, content, or data collection of any third party. We encourage you to review the privacy policies of any third-party services you interact with. The inclusion of a link does not imply endorsement of the linked site or service by DMG L&D, LLC.

14. Do Not Track Signals

Some browsers transmit "Do Not Track" (DNT) signals. There is currently no universally accepted standard for how companies should respond to DNT signals. We do not currently alter our data collection and use practices in response to DNT signals. However, we do honor Global Privacy Control (GPC) signals as described in Section 9.5.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make changes, we will revise the "Last Updated" date at the top of this page. For material changes that significantly affect your rights or our obligations, we will provide at least 30 days' prior notice by: (a) sending an email to the address associated with your account; and/or (b) posting a prominent notice on the Service. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the revised Privacy Policy. We encourage you to review this Privacy Policy periodically.

16. Governing Law and Dispute Resolution

This Privacy Policy and any disputes arising out of or related to it shall be governed by and construed in accordance with the laws of the State of Florida, United States, without regard to its conflict of law provisions, except where superseded by applicable mandatory privacy legislation (including the GDPR, UK GDPR, CCPA/CPRA, and other state or national privacy laws that may not be contracted away). Any legal action or proceeding relating to this Privacy Policy shall be brought exclusively in the state or federal courts located in the State of Florida, and you consent to the personal jurisdiction of such courts. Nothing in this section limits your right to lodge a complaint with a data protection supervisory authority in your jurisdiction.

17. Contact Us

If you have any questions about this Privacy Policy, wish to exercise your privacy rights, have concerns about our data practices, or would like to file a complaint, you may contact us through any of the following methods:

We will acknowledge receipt of your inquiry within 5 business days and aim to provide a substantive response within 30 days. If your inquiry relates to the exercise of a privacy right, response times are governed by the applicable timelines described in Sections 8, 9, and 10 of this Privacy Policy.