Skip to main content
Cofactor
§ Legal · Privacy Last updated · May 2, 2026

Privacy Policy

Cofactor LLC, a Florida limited liability company ("Cofactor," "we," "our"), is committed to handling personal information responsibly. This Policy explains what we collect, why we collect it, how we use and share it, how long we keep it, and the rights you have over it. It applies to our marketing site, our customer-facing services, and the software we operate on behalf of clients.

01 · Scope

This Policy applies to personal information that Cofactor processes as a controller (for example, when you visit our marketing site, join the waitlist, contact us, or sign up as a Cofactor client) and as a processor (when we operate software on behalf of a Cofactor client and that software handles personal information about the client's end users).

When Cofactor acts as a processor, the client is the controller of that data; their privacy notice — not this Policy — governs collection and use of personal information from end users. Our handling in that role is governed by the data-processing terms in the client's order form.

02 · What we collect

We collect the categories below. We do not knowingly collect special categories of personal data (health, biometric, religious, etc.) unless a client expressly directs us to process such data on their behalf.

  • Waitlist information. Email address, optional company name, and the answer to "What's running today?" when you join the early-access waitlist.
  • Contact information. Name, email, optional company, and the contents of any message you send through the contact form, by email, or in a scheduled call.
  • Account and billing information. Legal name of the contracting entity, billing contact name and email, address, tax identifier, and payment instrument details (handled by our payment processor; we do not store full card numbers).
  • Service data. Account credentials, audit logs, and operational telemetry generated by the software we build and run for you.
  • Usage and technical data. IP address, user-agent string, request timestamps, and similar information automatically logged by web servers and CDNs for security, debugging, and abuse prevention.
  • Communications. Records of email, ticketing, and Slack-channel correspondence necessary to provide the service and resolve issues.

We do not buy personal information from data brokers, and we do not enrich your record with third-party marketing data.

03 · How we use it

We use personal information to:

  • Operate, secure, monitor, and improve the marketing site and the services we provide.
  • Respond to inquiries, prepare proposals, and onboard new clients.
  • Bill, collect, and reconcile payments.
  • Communicate with you about your engagement, security or privacy events, and material changes to our services or this Policy.
  • Detect, investigate, and prevent fraud, abuse, security incidents, and violations of our Terms.
  • Comply with legal obligations, respond to lawful requests, and enforce our agreements.

We do not sell personal information. We do not "share" personal information for cross-context behavioral advertising as those terms are defined under the California Consumer Privacy Act, and we do not engage in targeted advertising.

We do not use Customer Data or end-user personal information to train third-party machine-learning models. Where we use generative AI to deliver client features, we configure the model provider so that customer prompts and outputs are not retained for training.

04 · Legal bases for processing

For visitors located in jurisdictions whose laws require an identified legal basis (for example, the GDPR or UK GDPR), we rely on the following bases:

  • Contract. To deliver services you have requested or are evaluating.
  • Legitimate interests. To run, secure, and improve our services and to communicate with prospects who have engaged with us, balanced against your rights and expectations.
  • Consent. Where we ask for it (e.g., for non-essential cookies, if and when we ever deploy them).
  • Legal obligation. To comply with applicable tax, accounting, anti-fraud, and law-enforcement requirements.

05 · Sharing and sub-processors

We share personal information only with the categories of recipients below, and only as needed to operate the service. Each sub-processor is contractually bound to confidentiality and data-protection obligations no less protective than this Policy.

  • Hosting and edge infrastructure. Cloudflare, Inc. (Workers, edge caching, DNS, WAF) and the underlying server provider for our Directus content database.
  • Content management. Directus (self-hosted by Cofactor) for marketing-site content, navigation, and operational metadata.
  • Email and transactional messaging. The provider we use for outbound transactional email (account notifications, receipts, password resets).
  • Payment processing. A PCI-compliant card processor for invoices and subscription billing. Card details are handled by the processor; we receive only tokenized references.
  • Productivity and support tools. The vendors we use for shared mailboxes, ticketing, calendaring, and code repositories used to operate engagements.
  • Professional advisors. Our accountants, auditors, and counsel, under professional confidentiality obligations.
  • Authorities and successors. Government bodies in response to lawful process, and an acquirer in connection with a merger, acquisition, or sale of all or substantially all of Cofactor's assets, with notice to affected customers.

A current list of sub-processors is available on request to legal@cofactor.consulting.

06 · Retention

We keep personal information only for as long as needed to fulfill the purposes for which it was collected, including any retention required to comply with legal, accounting, or reporting obligations.

  • Waitlist and contact submissions. Up to 24 months from the last interaction, then deleted unless you become a customer.
  • Account and billing records. For the duration of the engagement plus seven (7) years to satisfy tax and audit requirements.
  • Service data and operational logs. Per the retention period in your order form (typically 90 days for verbose request logs, 13 months for security audit logs).
  • Backups. Encrypted backups are retained for 35 days on a rolling basis. Information in backups will be removed in the ordinary backup-rotation cycle.

07 · Your rights

Depending on where you live, you may have rights to access, correct, delete, port, or restrict our processing of your personal information; to opt out of profiling for decisions producing legal effects; and to lodge a complaint with a supervisory authority.

Florida residents. Where applicable under Florida law, including the Florida Information Protection Act of 2014 (Florida Statutes § 501.171), you may request information about how we handle your personal information and ask us to correct it. We respond within 45 days, with a single 45-day extension if reasonably necessary.

California residents. Subject to the California Consumer Privacy Act and California Privacy Rights Act, you may request to know, delete, correct, and limit use of sensitive personal information; we do not sell or share personal information for cross-context behavioral advertising.

EEA, UK, and Switzerland residents. Under the GDPR or UK GDPR, you may exercise the rights of access, rectification, erasure, restriction, portability, and objection, and you may withdraw any consent you have given.

Canadian residents. Under the Personal Information Protection and Electronic Documents Act (PIPEDA), and equivalent provincial laws where applicable, you may request access to and correction of personal information we hold about you. We respond to verified requests within 30 days. You may also lodge a complaint with the Office of the Privacy Commissioner of Canada (OPC). Cofactor has designated a Privacy Officer accountable for our PIPEDA program; contact details are below.

To exercise any right, email legal@cofactor.consulting with the subject "Privacy Request" and a description of what you'd like. We will verify your identity using information already on file before fulfilling the request. We will not discriminate against you for exercising any right.

08 · Cookies and analytics

The Cofactor marketing site uses only the cookies and storage strictly necessary to render the page and remember non-essential UI state (for example, whether a content card has been dismissed). We do not run third-party advertising trackers or cross-site identifiers.

If we add product analytics in the future, we will use a privacy-preserving provider with IP truncation and no cross-site identifiers, and update this Policy with at least 30 days' notice.

09 · Children

The Cofactor service is intended for business use and is not directed to children. We do not knowingly collect personal information from anyone under 13 (or under 16 in the EEA and UK). If you believe a child has provided us personal information, contact us and we will delete it.

10 · Security

We maintain reasonable administrative, technical, and physical safeguards designed to protect personal information against loss, misuse, unauthorized access, disclosure, alteration, or destruction. Current safeguards include: encryption of personal information in transit (TLS 1.2+) and at rest, role-based access controls with multi-factor authentication for production systems, principle-of-least-privilege for credentials and database accounts, hardened CI/CD with required code review for any change touching production, continuous logging and anomaly detection on edge and origin traffic, secrets stored in dedicated vaults, and routine vulnerability scanning of dependencies and infrastructure.

No method of transmission over the internet or electronic storage is 100% secure. While we strive to protect personal information, we cannot guarantee its absolute security.

11 · Data-breach notification

If we determine that a security incident has resulted in the unauthorized acquisition of unencrypted personal information that triggers notification obligations under applicable law, we will provide notice as required.

Specifically, where the Florida Information Protection Act of 2014 applies, we will provide notice to affected Florida residents and to the Florida Department of Legal Affairs as soon as practicable and no later than thirty (30) days after determination of the breach (with the limited extensions FIPA allows for law-enforcement investigations and substituted notice for breaches affecting more than 500 residents). For other jurisdictions, we will follow the timelines and authority-notification requirements that apply.

12 · International transfers

Cofactor is based in the United States. If you access the service from outside the U.S., your information may be transferred to, stored in, and processed in the U.S. and other countries where our sub-processors operate. Where required, we rely on the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, or other lawful mechanisms to protect such transfers.

13 · Changes to this Policy

We may update this Policy from time to time. If a change is material, we will notify you by email (where we have an address on file) and post the revised Policy with an updated effective date at least 30 days before the change takes effect.

14 · Health information

Some Cofactor clients operate in healthcare-adjacent verticals (for example, dental, veterinary, and tele-health practices). Where a client engagement may cause Protected Health Information (PHI), as defined under the Health Insurance Portability and Accountability Act ("HIPAA"), to flow through software we operate, Cofactor acts as a Business Associate of the client.

In that role we will: (i) sign a Business Associate Agreement (BAA) with the client before any PHI is processed; (ii) sign or obtain BAAs from any downstream sub-processor that may receive PHI; (iii) maintain the administrative, physical, and technical safeguards required by the HIPAA Security Rule; (iv) limit access to PHI on a least-privilege basis with multi-factor authentication; (v) maintain audit logs of access to PHI for at least six (6) years; and (vi) follow the HIPAA Breach Notification Rule timelines for any reportable breach involving PHI, in addition to any state-law requirements that apply.

Cofactor has designated a Privacy Officer and a Security Officer accountable for the HIPAA program. Where a client account has not been classified as PHI-in-scope, Cofactor does not knowingly receive or process PHI; clients are responsible for not transmitting PHI through channels that have not been BAA-covered.

Our HIPAA program details, BAA template, and current Privacy Officer and Security Officer assignments are available on request from legal@cofactor.consulting. See also our Trust page for current attestation status.

15 · Contact

Questions or requests? Email legal@cofactor.consulting or write to us at the address on the contact page.

For privacy-specific requests, please use the subject line "Privacy Request" so it routes to the right inbox.

Contact us