Privacy Policy

0. Scope

This is the Privacy Policy for our public website at https://contentcodes.com(the “Site”), the forms hosted on it, and the consumer-facing interactions that take place through it. It governs only what happens on the website.

This Policy is not:

• An employee privacy notice, HR policy, or internal company data-governance policy
• A description of our internal corporate operations, vendor management, finance, or board materials
• A Data Processing Agreement. When we transfer or enrich lead data on a customer’s behalf, that engagement is governed by a separate Customer Agreement, Service Order, and Data Processing Addendum (where applicable). This Policy describes only the public-facing summary of those flows in §3.

1. Who we are

Content Codes, Inc. (“Content Codes,” “we,” “us,” “our”) is an Illinois corporation operating from the United States. We provide done-for-you SEO content programs, lead data transfer services, and lead data enrichment services to real estate professionals (the “Services”).

We are not a data broker. We do not buy, sell, license, or rent personal information on our own account, and we are not registered as a data broker in any US state.

Contact: [email protected]

2. The short version

• We collect what you give us through forms, what you give us as a customer, and standard server logs.
• We use it to respond, deliver our Services, and run the business.
• We do not sell or share your personal information for advertising. We are not a data broker.
• Lead-enrichment data we provide to customers is for marketing use only — it is not a consumer report under the Fair Credit Reporting Act (FCRA), is not credit-bureau-derived, and may not be used to make eligibility decisions about consumers.
• US residents: email [email protected] with subject Privacy Rights Request to exercise your privacy rights.

3. Information we collect

3.1 From Site visitors

When you submit a form or email us, we collect: your name, email address, business website URL, the message or business context you choose to share, and standard email metadata.

3.2 From customers

When you become a paying customer, we additionally collect: billing information (handled by our payment processor — see §5), account credentials, support and communication history, and information about the CRM platform you use.

3.3 Customer-entrusted lead data (Lead Data Transfer / Enrichment customers)

This is the part of our Service that distinguishes us from a typical B2B website.

When you purchase Lead Data Transfer or Lead Data Enrichment, you authorize us to access — or you provide to us — lead records from your CRM. These records typically include name, email, phone number, mailing address, saved searches, notes, transaction history, and CRM custom fields.

You remain the controller / business with respect to that lead data. We act as your service provider / processor under a separate Customer Agreement and (where applicable) Data Processing Addendum, and we process that data only to deliver the Service you purchased. We do not use customer-entrusted lead data for our own marketing, model training, or sale to third parties.

3.4 Enrichment data (data we obtain from third parties)

For Lead Data Enrichment, we obtain data about your leads from licensed third-party data providers that aggregate public records and consumer marketing data. We do not name specific providers in this Policy for commercial-confidentiality reasons; we will disclose the names of providers handling personal information about you in response to a verifiable Privacy Rights Request under §6.3. This third-party data may include verified phone numbers and best-call-time signals; modeled homeownership status; estimated household income, wealth tier, and purchasing-power signals; and estimated demographic indicators (age range, household size, life stage).

FCRA carve-out. None of this enrichment data is derived from a “consumer report” as defined by the Fair Credit Reporting Act. It is not a credit score, not a credit-bureau-sourced credit report, and not a substitute for either. It is provided for marketing purposes only. Customers may not use enrichment data to make decisions about a consumer’s eligibility for credit, insurance, employment, housing rental, or any other FCRA-regulated purpose. Misuse breaches our Terms of Service and may violate federal law.

TCPA carve-out.Verified phone numbers provided through our enrichment Service do not constitute consumer consent under the Telephone Consumer Protection Act, the Telemarketing Sales Rule, or any state-level telemarketing or “mini-TCPA” statute. Customers are solely responsible for TCPA, state-telemarketing, and federal/state Do-Not-Call registry compliance before initiating any call, text, or fax to enriched contacts. Content Codes is not responsible for downstream TCPA, DNC, or telemarketing-law violations arising from a customer’s use of enriched data.

GLBA carve-out.Modeled financial indicators (such as estimated household income or wealth tier) are derived from non-FCRA public and consumer marketing data sources. They are not “nonpublic personal information” as defined by the Gramm-Leach-Bliley Act, are not sourced from any financial institution, and are not subject to GLBA. They are provided for lead prioritization and marketing purposes only.

3.5 Automatic information

Standard server logs (IP address, user-agent, referring URL, pages visited, timestamps) are collected by our infrastructure providers — Cloudflare at the edge and AWS at the application origin — for security and operational purposes.

We use Google Analytics 4 to measure aggregate Site traffic, page views, and visitor sources so we can improve content. Google Analytics sets first-party analytics cookies on your browser (_ga, _ga_<container-id>) and reports the associated page-view and session events to Google. IP addresses are truncated by Google before storage, we have not enabled Google Signals, and we have not enabled any advertising-integration features — the data is used only for first-party site analytics. You can opt out at any time by installing the Google Analytics Opt-out Browser Add-on or by blocking the _ga* cookies in your browser settings.

Other cookies present on the Site are strictly-necessary cookies set by Cloudflare for bot detection and DDoS protection (e.g., __cf_bm, cf_clearance). These cookies do not identify you, are not used for advertising, and do not require consent under US privacy laws or under the EU ePrivacy Directive’s strictly-necessary exemption. We do not use retargeting pixels, advertising trackers, session-replay tools, or any non-analytics third-party trackers.

4. How we use information

To respond to inquiries; deliver the Services you’ve purchased; send service-related emails; process payments; improve the Site and Services; detect and prevent fraud, abuse, and security incidents; and comply with legal obligations. We do not use information for cross-context behavioral advertising or to build behavioral profiles of Site visitors.

5. Sharing and sub-processors

We share information only with the following categories of service providers, only as necessary to operate the Services, and only under written agreements that restrict their use of the data:

We do not sell personal information for monetary or other valuable consideration, and we do not share personal information for cross-context behavioral advertising as those terms are defined under the California Consumer Privacy Act / California Privacy Rights Act (CCPA / CPRA).

We will disclose information when required by law (subpoena, court order, valid government request) or to protect the safety, rights, or property of Content Codes, our customers, or the public.

6. Your rights (US residents)

6.1 Notice at Collection (California)

This Policy, together with §3 (collection), §4 (use), §5 (sharing), and §7 (retention), constitutes our Notice at Collection under CCPA / CPRA. Categories collected: identifiers, customer records, commercial information, internet activity, and (for customer-entrusted lead data only) categories described in §3.3. Purposes are in §4. Retention is in §7. We do not sell or share personal information for cross-context behavioral advertising. We do not collect or process sensitive personal information for purposes that would trigger the CPRA right to limit.

6.2 What you can do

Depending on your state, you may have the right to know, access, delete, correct, port, opt out of “sale” or “sharing,” limit use of sensitive PI, and be free from retaliation. We honor verifiable consumer requests from residents of California, Colorado, Connecticut, Virginia, Utah, Texas, Oregon, and any other US state that enacts substantially similar privacy rights.

6.3 How to exercise your rights

Email [email protected] with subject line Privacy Rights Request. We will:

1. Acknowledge within 10 business days
2. Verify your identity (we may ask for information matching what we already have)
3. Respond substantively within 45 days (we may extend by 45 additional days if reasonably necessary, and will tell you in writing if we do)

You may use an authorized agent with signed written permission. You will not be retaliated against for exercising your privacy rights. If you believe we mishandled a request, you may complain to the California Privacy Protection Agency, the California Attorney General, or your state’s equivalent.

For B2B contact data, employment-context data, or third-party data we hold only as a service provider on a customer’s behalf, we may decline to fulfill or may redirect requests to the appropriate controller, as permitted by applicable law.

7. Retention

• Form submissions from non-customers: up to 24 months for sales follow-up, then deleted.
• Customer account data: for the duration of the relationship plus seven (7) years for tax, accounting, and dispute purposes.
• Customer-entrusted lead data (Transfer / Enrichment): only as long as necessary to deliver the Service, plus a 60-day buffer for re-runs, audits, and disputes. Then deleted unless retained under a written addendum.
• Site server logs: Cloudflare edge logs per Cloudflare’s standard retention (up to ~30 days); AWS application logs typically rotated within 30–90 days unless retained longer for an active security investigation.
• Email communications: per our email provider’s retention; typically the duration of the relationship plus archival.

8. Security and breach notification

We use commercially reasonable safeguards including TLS encryption in transit, Cloudflare WAF and DDoS protection at the edge, AWS-side network and identity controls (security groups and IAM least-privilege), access controls and least-privilege principles for staff, and documented vendor security review before onboarding any new sub-processor.

If we determine that a security incident has resulted in unauthorized access to, acquisition of, loss of, or disclosure of personal information about you, we will notify you (and, where required, the relevant state Attorney General, credit reporting agencies, or other regulators) within 30 days of discovery, or sooner if required by applicable law. Notification will be sent by email to the last email address we have on file, with substitute notice (Site banner, written mail) if email delivery fails.

9. Cookies

The Site uses two categories of cookies:

• Strictly-necessary cookies set by Cloudflare for bot management and DDoS protection (e.g., __cf_bm, cf_clearance). These cookies do not identify you, are not used for advertising, and are exempt from consent requirements under US privacy laws and under the EU ePrivacy Directive’s strictly-necessary exemption.
• Analytics cookies set by Google Analytics 4 (_ga, _ga_<container-id>) for aggregate Site analytics only — page views, traffic sources, and session counts. IP addresses are truncated by Google before storage, Google Signals is not enabled, and no advertising-integration features are enabled. You can opt out by installing the Google Analytics Opt-out Browser Add-on or by blocking the _ga* cookies in your browser.

We do not set advertising cookies, retargeting cookies, session-replay cookies, or any other non-essential third-party trackers. If we add any other non-essential cookies in the future, we will update this Policy and present a consent prompt where required by law.

10. Children

Our Services are intended for real-estate professionals and are not directed to children under 16. We do not knowingly collect personal information from children. Contact [email protected] if you believe a child has provided information to us, and we will delete it.

11. International users

Content Codes is a US company serving real estate professionals in the United States, Canada, and Mexico. Our infrastructure providers (Cloudflare and AWS) operate global networks, so technical request routing and edge caching may transit data centers outside North America in the ordinary course of operating a CDN; however, our application servers, processing, and storage of record are hosted on AWS in US regions.

We do not currently offer Services into the EU, UK, Switzerland, or other GDPR-equivalent jurisdictions, and we have not implemented Standard Contractual Clauses, an EU representative, or a UK representative.

12. Do Not Track

Our Site does not respond to DNT browser signals because there is no industry consensus on how to interpret them. Because we do not engage in cross-site advertising tracking, the practical impact is minimal.

13. Updates

We may update this Policy when our practices change or when required by law. Material changes: we’ll update the “Last updated” date, post the revised Policy at this URL, and notify active customers by email. Continued use of the Site or Services after a change is acceptance of the revised Policy.

14. Contact

Email: [email protected]
Subject line for privacy requests: Privacy Rights Request

We respond within one business day during posted hours (Monday–Friday, 6 am – 8 pm Eastern).