We collect what you send through the contact form, the cookie-free analytics on the site, and the records we need to do business with you. We don't sell it, we don't share it for ad targeting, and we don't train AI models on it. Want it gone? Email us and it's gone. We also honour Do Not Track and Global Privacy Control automatically.
Who we are
Highstone Media, LLC (“Highstone,” “we,” “us,” or “our”) is a digital advertising agency organized in the State of Wyoming, USA. Our registered office and mailing address is 317 W Whitney St, Sheridan, WY 82801, United States.
This Privacy Policy explains what personal information we collect on highstonemedia.com (the “Site”) and through our business communications, why we collect it, who else sees it, how long we keep it, and the rights you have over it. It applies to prospective clients, current clients and their authorized users, vendors, and website visitors.
- Controller
- Highstone Media, LLC (Wyoming, USA)
- Privacy contact
- privacy@highstonemedia.com
- Phone
- +1 (360) 994-1062
- Data governance lead
- The Privacy contact above acts as our Data Governance Lead (functional equivalent of a Data Protection Officer where one is not formally required by law).
- Postal mail
- Attn: Privacy, 317 W Whitney St, Sheridan, WY 82801, USA
What personal information we collect
We collect three categories of information:
(a) Information you give us directly. When you complete our contact form, reply to an email, sign a proposal, or correspond with us, we receive: your name, email address, telephone number (if provided), company name, role/title, monthly media-spend range if you share it, and any free-text content you choose to include. Client accounts also include billing contacts and authorized-user details required to deliver the service.
(b) Information we collect automatically. When you visit the Site, our hosting provider and analytics tool log: IP address, user agent (browser, device, operating system), referring URL, the URL of the page on our site, timestamps, page-load performance metrics, and (aggregated) approximate geography derived from IP. We do not use advertising pixels, retargeting tags, or session-replay tools on this Site.
(c) Information from third parties. If you are referred to us through a mutual contact (e.g. Slack Connect, an introducer's email), we receive what that channel forwards. If you become a client, our payment processor (Stripe) and accounting system (QuickBooks) share invoice and payment metadata with us; we never receive or store full card numbers.
Sensitive categories. We do not knowingly collect data revealing racial or ethnic origin, religious beliefs, political opinions, trade-union membership, genetic or biometric data, health data, sexual orientation, or precise (lat/long) location data. Please do not include sensitive personal information in messages to us.
How and why we use it
We use the information above to:
- Respond to your inquiry and assess whether we're a good fit.
- Send proposals, contracts, kickoff calendar invites, weekly reports, and other items you've asked us to send.
- Provide, support, and improve the services we deliver to clients.
- Maintain billing, tax, and accounting records as required by US law.
- Understand which pages on our Site are useful and which are not (aggregate analytics only).
- Send infrequent product or policy updates to existing clients. We do not operate a marketing newsletter and we do not send cold outreach.
- Detect, prevent, investigate, and respond to fraud, abuse, or security incidents.
- Comply with legal obligations (e.g. responding to a valid subpoena) and exercise or defend legal claims.
We do not use your personal data to train any AI model, sell it to third parties, share it for cross-context behavioural advertising, or build advertising audiences with it.
Automated decision-making. We do not make decisions about you that produce legal or similarly significant effects using solely automated means. All decisions about fit, pricing, scope, or termination of a Highstone engagement are made by a human.
Legal bases (GDPR / UK GDPR)
If you are in the European Economic Area, the United Kingdom, or Switzerland, we rely on the following lawful bases for processing under GDPR / UK GDPR Articles 6(1) and 9(2):
- Contract
- Art. 6(1)(b) — to respond to your request, deliver the services you have engaged us for, and administer the engagement (billing, support, reporting).
- Legitimate interests
- Art. 6(1)(f) — to operate, secure, and improve our Site; to communicate with prospective clients who have contacted us; to maintain business correspondence records; and to detect and prevent abuse. We have considered and balanced these interests against your rights and freedoms.
- Legal obligation
- Art. 6(1)(c) — to keep tax, accounting, KYC, and other records required by US and applicable foreign law.
- Consent
- Art. 6(1)(a) — only where we explicitly ask for it (for example, before using a client testimonial that names you). You may withdraw consent at any time without affecting prior processing.
- Vital interests / public interest
- Art. 6(1)(d) and (e) — not used for ordinary processing.
Who we share it with
We share personal information only with the service providers (“processors” under GDPR) we need to run the business, and only to the extent required for them to perform their role. Our current sub-processor list is published at highstonemedia.com/sub-processors and currently includes:
- Email + calendar
- Google Workspace
- CRM
- Attio
- Contracts & e-signature
- DocuSign
- Billing
- Stripe (payments), QuickBooks (accounting)
- Website analytics
- Plausible (cookie-free) and Vercel Analytics (cookie-free)
- Hosting & CDN
- Vercel, Cloudflare
- Communications
- Slack, Zoom (client review calls)
Each processor is bound by a written contract (Data Processing Agreement) that limits their use of your data to instructions we give them. We do not sell, rent, trade, share for cross-context behavioural advertising, or otherwise transfer your personal information to third parties for their own marketing purposes.
We may disclose personal information without prior notice if required by law (court order, subpoena, government request) or where we believe in good faith that disclosure is reasonably necessary to protect against fraud, defend our legal rights, or protect the safety of any person. Where lawful, we will inform you of the request before responding.
In the event of a merger, acquisition, financing, or sale of substantially all of our assets, personal information may be transferred to the acquirer subject to the protections of this policy. We will notify you of any such change.
Cookies and similar technologies
This Site uses only strictly necessary cookies — those required for the Site to function correctly (e.g. remembering a theme preference, CSRF protection on forms). We do not use advertising cookies, retargeting pixels, fingerprinting, or session-replay tools on this Site.
Our analytics tool, Plausible, does not use cookies and does not collect personal data. It counts page views in aggregate by hashing the IP address with a daily-rotating salt and discarding the original. Vercel Analytics, used for page-load performance, is also cookie-free.
Because we set no non-essential cookies, no cookie-consent banner is displayed. Full disclosure of every cookie and similar technology in use is published in our Cookie Policy, which we update whenever the Site's stack changes.
How long we keep your information
We retain personal information only as long as necessary for the purpose for which it was collected, plus any period legally required (e.g. tax records). Specifically:
- Contact-form submissions
- 24 months from your last reply, then deleted unless you have become a client.
- Client engagement records
- For the duration of the engagement plus seven (7) years (US tax and accounting law).
- Billing & tax records
- Seven (7) years from the end of the relevant tax year.
- Website analytics
- Aggregate metrics retained indefinitely. Individual page-view records are not retained at the personal level.
- Email correspondence
- Up to seven (7) years from the date of the last message, then deleted on a rolling quarterly sweep.
- Backups
- Encrypted backups are retained for 90 days. Data scheduled for deletion is also purged from backups when they expire.
Where you have asked us to delete your personal information, we will do so promptly except where we are required by law to retain it (in which case we will isolate and stop processing it instead).
Your rights (GDPR / UK GDPR)
If you are in the EEA, the UK, or Switzerland, you have the following rights under GDPR / UK GDPR:
- Right of access (Art. 15) — to receive confirmation of processing and a copy of your personal data.
- Right to rectification (Art. 16) — to correct inaccurate or incomplete data.
- Right to erasure (Art. 17) — to ask us to delete data we hold about you.
- Right to restrict processing (Art. 18) — to ask us to stop certain uses while a dispute is resolved.
- Right to data portability (Art. 20) — to receive your data in a structured, machine-readable format, or to have it transmitted to another controller.
- Right to object (Art. 21) — to object to processing based on legitimate interests; you may also object at any time to processing for direct marketing.
- Rights related to automated decision-making (Art. 22) — we do not subject you to solely automated decisions producing legal or similarly significant effects.
- Right to lodge a complaint (Art. 77) — with your local supervisory authority (in the UK, the ICO at ico.org.uk).
- Right to withdraw consent — where processing is based on consent, you may withdraw at any time without affecting prior processing.
To exercise any of these rights, email privacy@highstonemedia.com. We will respond within 30 days (extendable by a further 60 days for complex requests, with notice). We will not charge you or require you to create an account.
Your rights (California — CCPA / CPRA)
If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA/CPRA”), gives you the following rights regarding your personal information:
- Right to know — categories and specific pieces of personal information we collected, the sources, the business or commercial purposes, and the categories of third parties with whom we shared it.
- Right to delete — personal information we collected from you, subject to statutory exceptions.
- Right to correct — inaccurate personal information we maintain about you.
- Right to opt out of sale or sharing — we do not sell personal information and we do not share it for cross-context behavioural advertising as those terms are defined under CCPA/CPRA. See Do Not Sell or Share My Personal Information.
- Right to limit use of sensitive personal information — we do not use sensitive PI to infer characteristics, and we do not use it for purposes outside the limited operational ones permitted by §7027.
- Right of non-discrimination — we will not deny services, charge different prices, or provide a different level of quality because you exercised your CCPA/CPRA rights.
- Right to designate an authorized agent — you may use an agent to submit requests on your behalf with documented permission.
Categories of personal information we collect. Identifiers (name, email, IP); commercial information (services you inquired about, billing); internet/network activity (page-view metadata); geolocation (approximate, derived from IP); professional information (company, role); and the contents of communications you send us.
Categories of sources. You; our website logs; introducers / referrers; our payment processor.
Business purposes. Service delivery, billing, security, compliance, support, and improving the Site (see “How and why we use it” above).
Categories of third parties we disclose to. Service providers/processors listed above and at /sub-processors; government bodies where required by law.
Sale / sharing. Highstone Media does not sell or share personal information as defined under CCPA/CPRA, and has not done so in the preceding twelve (12) months. We also do not knowingly sell or share the personal information of minors under 16.
Retention. See “How long we keep your information” above.
To exercise a California right, email privacy@highstonemedia.com or call +1 (360) 994-1062. We verify identity by matching the email address or company on file; for sensitive requests we may ask one additional confirming question. We respond to verifiable requests within 45 days (extendable once by 45 days, with notice).
Other US state privacy laws
Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), and other US states with comprehensive privacy laws have substantially similar rights to those described under CCPA/CPRA above. You may exercise them by the same method: email privacy@highstonemedia.com. If your state law provides for an appeal of our decision, you may also appeal by replying to our response within 60 days; we will respond to the appeal within the timeframe required by your state.
How we secure your information
We use reasonable, industry-standard technical and organisational measures designed to protect personal information against unauthorised access, loss, misuse, and alteration. These include:
- Encryption in transit (TLS 1.2+) for all Site traffic.
- Encryption at rest in all our client systems (Google Workspace, Attio, Stripe, Vercel, Cloudflare R2 where used).
- Two-factor authentication required on every internal account.
- Principle of least privilege for team access, with role-based access controls.
- Quarterly access reviews; immediate revocation on departure.
- Encrypted, password-managed credentials (1Password).
- Vendor risk review before adding any new sub-processor.
- An incident response plan documented in our internal Trust & Security policy and summarised at /security.
Breach notification. No system is 100% secure. If we become aware of a personal-data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will notify the relevant supervisory authority within 72 hours of becoming aware, as required by GDPR Art. 33, and we will notify affected individuals without undue delay where the breach is likely to result in a high risk to those individuals. We apply this 72-hour standard worldwide, regardless of whether you reside in the EEA.
International data transfers
We are based in the United States, and our vendors above also operate in or transfer data to the United States. If you are in the EEA, UK, or Switzerland, your personal information is therefore transferred outside your home jurisdiction.
For such transfers, we rely on one or more of the following lawful transfer mechanisms, depending on the vendor and route:
- EU-US Data Privacy Framework (and the UK Extension / Swiss-US DPF) where the recipient is self-certified.
- EU and UK Standard Contractual Clauses (SCCs) incorporated into our written data-processing terms with each sub-processor, with supplementary technical measures where required.
- Your explicit consent, where applicable.
You can request a copy of the relevant transfer documentation by emailing privacy@highstonemedia.com.
Children
Our services are intended for businesses and the adults who run them. We do not knowingly collect personal information from anyone under 16 (or the equivalent age of digital consent under applicable local law). If you believe a minor has shared information with us, please email privacy@highstonemedia.com and we will delete it promptly.
Do Not Track and Global Privacy Control
Because we do not engage in cross-site tracking and do not sell or share personal information, we treat all browser-level Do Not Track signals and Global Privacy Control (GPC) signals as equivalent to a verified consumer request to opt out where one is otherwise required. The result is the same: we do not track you across sites or sell your data.
Changes to this policy
When we update this Privacy Policy, we change the version number and effective date at the top of this page. Material changes — anything that affects what we collect, who sees it, how long we keep it, or the legal bases on which we process it — are emailed to active clients at least 30 days in advance, and announced on the Site for at least 30 days.
A complete change log is available on request — email legal@highstonemedia.com.
Contact us
For anything related to this policy, contact:
- privacy@highstonemedia.com
- Phone
- +1 (360) 994-1062
- Attn: Privacy
Highstone Media, LLC
317 W Whitney St
Sheridan, WY 82801, USA
If you are in the EEA and we do not respond to your satisfaction, you can complain to your local supervisory authority. If you are in the UK, that authority is the Information Commissioner's Office (ico.org.uk).