Privacy notice.

SUMMIT REACH LLC ("SUMMIT REACH," "we," "us," or "our") is a Wyoming limited liability company with its principal place of business at 1003 N Gould St, Sheridan, Wyoming 82801, United States. We operate the website at summitreachsoft.com (the "Site") and provide custom software engineering and applied AI analytics services to mid-market companies (the "Services").

This notice explains what personal information we collect when you interact with the Site or our direct contact channels, how we use it, who we share it with, what rights you have, and how to exercise them.

Scope: This notice covers information we collect as a controller through the Site. It does not cover information we process on behalf of a client under an engagement contract — see the Data Processing Agreement at /dpa.

2.1 Information you provide directly.

• Contact information — name, work email, employer, role.
• Engagement context — project description, budget range, timeline.
• Correspondence content — body of emails, scheduled-call notes, documents you share.
• Engagement records — proposals, statements of work, invoices, payment records (only post-engagement).

We do not ask for and do not want special-category personal data under GDPR Article 9 (race, ethnicity, political opinions, religion, philosophical beliefs, trade-union membership, genetic / biometric data, health, sex life, sexual orientation). If any is inadvertently submitted we delete it without processing.

2.2 Information collected automatically. The hosting layer logs, per request: IP address, user-agent, referrer URL, request line, HTTP status, bytes served, UTC timestamp. Retention 90 days. We operate no third-party analytics, advertising, or behavioural tracking and the Site loads no third-party cookies. If that changes, this notice is updated and the consent-record version is bumped so every visitor is re-prompted.

2.3 Information from third parties. None currently. Referral-introduced enquiries are processed on the basis of legitimate interest; you may object at any time.

Under GDPR Article 6 and the UK GDPR mirror, we must state the legal basis for each purpose:

Where the basis is legitimate interests, you may object at any time; we stop unless we can show compelling legitimate grounds.

Service providers (processors): hosting / infrastructure, Google Workspace (DPF certified), GitHub, Linear, Notion, Cloudflare (CDN), Bunny Fonts (EU-hosted). Named list at /subprocessors; 30-day prior notice on additions.

Professional advisors (accounting, legal counsel) may receive personal data incidental to invoicing or dispute resolution; bound by professional-confidentiality duty + signed NDA; access is exception-only.

Legal-compliance disclosures: only when compelled by law, subpoena, or government request. We push back on over-broad requests and notify affected parties where legally permitted.

Business transfers: in a merger, acquisition, or asset sale, your information may transfer to the successor under the protections in this notice.

We do not sell personal information within the meaning of CCPA / CPRA, and we do not share for cross-context behavioural advertising. No advertising or data-broker programme exists or is planned.

When retention expires, data is deleted from active stores within 30 days; backups expire on their own rolling schedule.

Detailed posture at /trust. Highlights: TLS 1.3 + HSTS preload; AES-256 at rest with cloud-managed keys; Google Workspace SSO + YubiKey 5 hardware second factor for production access; 1Password Business; quarterly access reviews; managed laptops with EDR; US background checks before production access.

Breach notification (GDPR Articles 33 / 34). If a personal-data breach is likely to result in a risk to your rights and freedoms, we notify the competent supervisory authority within 72 hours of becoming aware. Where the breach is likely to result in a high risk, affected data subjects are notified without undue delay in clear and plain language.

If you are in the EEA, UK, or Switzerland you have the following rights, exercisable at any time and free of charge in normal cases:

• Access (Art. 15) — copy of your data + recipient categories + retention periods.
• Rectification (Art. 16) — correct inaccurate or incomplete data.
• Erasure (Art. 17) — deletion where an Art. 17 ground applies.
• Restriction (Art. 18) — pause processing while a dispute is resolved.
• Portability (Art. 20) — receive your data in a structured, machine-readable format (JSON or CSV).
• Object (Art. 21) — to legitimate-interests processing.
• Withdraw consent (Art. 7(3)) — at any time, as easily as it was given.
• Lodge a complaint (Art. 77) — with your local supervisory authority. UK: ICO (ico.org.uk); Ireland: DPC (dataprotection.ie); EU: edpb.europa.eu.

To exercise any right, email privacy@summitreachsoft.com. We acknowledge within 5 business days and substantively respond within 30 calendar days (extendable to 90 for complex requests with notice).

California residents have the following CPRA-amended CCPA rights:

• Know — categories and specific pieces collected, sources, business purposes, sharing categories.
• Delete — subject to statutory exceptions (active engagement records we must retain).
• Correct — inaccurate personal information.
• Opt-out of sale or sharing — we do not sell or share; Global Privacy Control is honoured automatically.
• Limit use of sensitive personal information — we do not knowingly collect sensitive PI.
• Non-discrimination — no degraded service or price differential for exercising any right.

Categories of personal information collected in the past 12 months:

Two ways to submit a CCPA request: email privacy@summitreachsoft.com (subject "CCPA request") or use the contact form at /contact with track set to "Privacy / data-rights." Response within 45 calendar days.

Do Not Sell or Share My Personal Information. We do not sell or share for cross-context behavioural advertising. The footer link of the same name opens cookie preferences pre-selecting "reject marketing." GPC is honoured automatically.

Residents of Virginia, Colorado, Connecticut, Utah, Oregon, Montana, Texas, and other states with comprehensive privacy laws have rights substantially similar to those in §8. Use the same channel — privacy@summitreachsoft.com.

We are based in the United States. Personal data is transferred to and processed in the US.

For transfers from the EEA, UK, or Switzerland to recipients not subject to an adequacy decision, we rely on, in order of preference:

• EU–US Data Privacy Framework where the recipient is certified.
• EU Standard Contractual Clauses (2021/914), Module Two, supplemented where needed by a transfer-impact assessment.
• UK International Data Transfer Addendum for UK transfers.
• Swiss FDPA-compliant clauses for Swiss transfers.

Full transfer terms for engagement data: /dpa.

The Site is a B2B marketing site not directed at children. We do not knowingly collect personal information from children under 16. If we learn we have, we delete it. Email privacy@summitreachsoft.com with concerns.

We do not make decisions producing legal or similarly significant effects on you using solely automated means.

SUMMIT REACH does not meet the GDPR Article 37 thresholds for mandatory DPO appointment (public authority, large-scale systematic monitoring, or large-scale special-category processing). We have therefore not appointed a DPO. We do designate a Privacy Contact:

• Email: privacy@summitreachsoft.com
• Postal: SUMMIT REACH LLC, Attn: Privacy Contact, 1003 N Gould St, Sheridan, WY 82801, USA

If processing scale changes such that a DPO becomes required, we will appoint one and publish the appointment here.

Material changes bump the "Updated" date and version, re-prompt the consent banner (version increment in consent.js), and trigger direct email to active-engagement clients. Continued use after a change indicates acceptance.

• Privacy + data-subject requests — privacy@summitreachsoft.com
• Security + vulnerability disclosure — security@summitreachsoft.com
• Legal notices — legal@summitreachsoft.com
• Accessibility — accessibility@summitreachsoft.com
• General — hello@summitreachsoft.com
• Postal — SUMMIT REACH LLC, 1003 N Gould St, Sheridan, WY 82801, United States