Privacy Policy.

This Privacy Policy explains how Nyhilism, Inc. (a [TODO: State of Incorporation] corporation, principal place of business in North Carolina, USA) collects, uses, shares, and protects personal information in connection with the GrabYourDot.com website ("the Site").

For the purposes of the EU/UK General Data Protection Regulation ("GDPR"), Nyhilism, Inc. is the "data controller" of personal data collected via the Site. For the California Consumer Privacy Act / California Privacy Rights Act ("CCPA/CPRA"), we are a "business" processing your personal information.

Contact our privacy team at privacy@grabyourdot.com.

• Collect minimally. We collect only what we need to operate the Site.
• Disclose fully. Everything we collect is documented here.
• Don't sell. We do not sell personal information to anyone, ever.
• No surveillance ads. We do not run cross-site behavioral advertising.
• Honor your rights. You can access, correct, delete, or export your data on request.

Information you give us directly:

• Email address — when you subscribe to our newsletter or send us a message.
• Name (optional) — if you provide it when subscribing or contacting us.
• Account credentials — if/when we offer accounts (currently admin only).
• Any free-form text — you submit through contact forms, replies, or future user-generated features.

Information collected automatically when you visit:

• IP address — used at connection time for geolocation country and rate-limiting; not stored long-term in identifiable form.
• Browser and device info — User-Agent string (classified into desktop / mobile / tablet / bot and discarded), screen size, OS.
• Usage data — pages visited, scroll depth, outbound link clicks, referring URL, session duration.
• Cookies and similar technologies — see our Cookie Policy.

Information from third parties:

• Affiliate networks — when you complete a purchase via an affiliate link, the network reports aggregated commission data to us. We do not receive your name, address, or payment information.

• To operate, maintain, and improve the Site.
• To send the newsletter to subscribers and respond to your messages.
• To understand which providers, reviews, and pages are popular so we can prioritize what to benchmark next.
• To detect and prevent abuse, fraud, bot traffic, and security incidents.
• To track outbound affiliate-link performance in aggregate (we don't link clicks to individual subscribers).
• To comply with legal obligations, court orders, and lawful requests from authorities.
• To enforce our Terms of Service and protect our rights and the rights of others.

If you are in the EU, EEA, or UK, we process your personal data under the following lawful bases under Article 6 of GDPR:

• Consent (Art. 6(1)(a)) — for non-essential cookies (analytics, advertising) and for newsletter signups. You may withdraw consent at any time without affecting prior lawful processing.
• Performance of a contract (Art. 6(1)(b)) — to deliver the newsletter you signed up for and to respond to messages you send us.
• Legitimate interests (Art. 6(1)(f)) — for essential website functionality, security, fraud prevention, aggregate analytics for product improvement, and aggregate affiliate-click measurement. Our legitimate interests are balanced against your rights and freedoms.
• Legal obligation (Art. 6(1)(c)) — when required to comply with applicable law, court order, or government request.

We share personal information only with the following categories of third-party processors, each under written contractual obligations to safeguard your data:

• Hosting & infrastructure: DigitalOcean (server hosting), Cloudflare (DDoS protection, CDN — when enabled).
• Database & authentication: Supabase (Postgres database, auth tokens) — US-hosted.
• Email delivery & list management: Resend (newsletter delivery and subscriber storage), Fastmail (our inbound email).
• Advertising: Nyhilism ad network (subject to your cookie consent).
• Affiliate networks: Commission Junction, Impact, ShareASale, Awin, Refersion, and direct programs operated by listed providers.
• Webfonts: Google Fonts (CDN-served font files; Google may log IPs of font requests).

We do not sell or rent personal information. We do not share it with data brokers, marketing aggregators, or surveillance-advertising providers.

We may disclose information if required by law, valid legal process, or to protect the safety or rights of any person.

Our servers and most of our processors are located in the United States. If you are visiting from outside the US, your personal information will be transferred to, stored in, and processed in the US.

For transfers from the EU, EEA, UK, or Switzerland to the US, we rely on Standard Contractual Clauses (SCCs) and supplementary technical and contractual safeguards. Where applicable, we also consider participation in the EU-US Data Privacy Framework.

• Newsletter subscribers: until you unsubscribe, plus 30 days for unsubscribe-confirmation processing, plus an additional period necessary to demonstrate compliance with applicable law.
• Contact/inquiry messages: up to 2 years after your last interaction.
• Server logs: rotated weekly, deleted after 30 days.
• Affiliate click logs (outbound_clicks): aggregated indefinitely; raw rows retained 90 days.
• Aggregated/anonymized analytics: retained indefinitely (no longer personal data).
• Legal/compliance records: retained as long as legally required.

We use a limited set of first-party and third-party cookies. Full details — including the specific cookies we set, who sets them, and how to control them — are documented in our Cookie Policy. We require opt-in consent for all non-essential cookies (analytics, advertising) for visitors in the EU, EEA, UK, and where required by other law.

If GDPR applies to you, you have the following rights regarding your personal data:

• Access — request a copy of the personal data we hold about you.
• Rectification — correct inaccurate or incomplete data.
• Erasure ("right to be forgotten") — request deletion, subject to legal retention obligations.
• Restriction — limit how we process your data in certain circumstances.
• Portability — receive your data in a structured, commonly used, machine-readable format and transmit it to another controller.
• Objection — object to processing based on legitimate interests, including direct marketing.
• Withdraw consent — for consent-based processing, at any time, without affecting prior lawful processing.
• Lodge a complaint — with your local supervisory authority. In the UK, the ICO (ico.org.uk). In Ireland, the DPC (dataprotection.ie). Find others at edpb.europa.eu.

To exercise any of these rights, email privacy@grabyourdot.com from the email address associated with your data. We respond within 30 days (extendable to 90 days for complex requests, with notice).

If you are a California resident, you have the right to:

• Know what categories and specific pieces of personal information we collect, use, disclose, and (in our case) do not sell.
• Delete personal information we have collected about you, subject to legal retention obligations.
• Correct inaccurate personal information.
• Opt out of the "sale" or "sharing" of personal information. We do not sell or share personal information in the CCPA sense. No opt-out is required because we do not engage in those activities, but you may still confirm this in writing.
• Limit use of sensitive personal information — we do not collect sensitive personal information as defined by CPRA.
• Non-discrimination — we will not deny services, charge different prices, or provide a different level of service because you exercised your rights.

To exercise California rights, email privacy@grabyourdot.com. You may also designate an authorized agent (we will verify your identity and the agent's authority before responding).

California "Shine the Light" disclosure: we do not share personal information with third parties for their direct marketing purposes.

Residents of states with comparable privacy laws (Virginia, Colorado, Connecticut, Utah, and others as enacted) have rights similar to those described in the California section above. Email privacy@grabyourdot.com to exercise any state-law right; we apply the strongest applicable protection.

The Site is not directed to children under 13. We do not knowingly collect personal information from anyone under 13 (or under 16 where higher local age applies). If we learn we have inadvertently collected such information, we will delete it promptly. If you believe a child has provided us personal information, contact privacy@grabyourdot.com.

We honor browser-level Global Privacy Control (GPC) signals as a valid opt-out request for non-essential cookies. We do not currently respond to Do Not Track (DNT) headers, as there is no industry consensus on how to interpret them, but our cookie consent banner provides equivalent control.

We implement reasonable technical and organizational measures to protect personal information, including:

• TLS encryption for all data in transit.
• Database encryption at rest via Supabase and underlying cloud providers.
• Row-level security (RLS) policies restricting database access to authenticated and authorized roles.
• Limited admin access via email allow-list with multi-factor authentication encouraged.
• Routine review of third-party processors' security practices.

No system is perfectly secure. We will notify affected users and regulators of any personal data breach without undue delay where required by law (e.g. GDPR Article 33, state breach-notification laws).

As a US-based organization processing personal data from EU individuals primarily on an occasional basis and not involving large-scale processing of special categories, we believe we fall below the threshold requiring designation of an EU/UK Representative under GDPR Article 27 and a Data Protection Officer under Article 37. We monitor this assessment as our activities evolve.

For privacy questions, contact privacy@grabyourdot.com — we respond within 30 days.

We do not make decisions about you based solely on automated processing that produces legal or similarly significant effects.

We may update this Policy as our practices or applicable law evolve. The "Last updated" date at the top reflects the most recent revision. We will provide prominent notice of material changes via a banner on the Site for at least 30 days and, where required, by email. Your continued use of the Site after the effective date constitutes acceptance.

Nyhilism, Inc.
[TODO: Street address]
[TODO: City], NC [TODO: ZIP]
USA

Email: privacy@grabyourdot.com