Privacy Policy
Last updated: July 5, 2026
Kolton Consulting of Santa Rosa Beach, Florida, USA (“Kolton Consulting,” “we,” “I”) is the data controller for personal information collected through kolton.consulting (the “Site”) and in connection with my consulting services. This policy explains what I collect, why, on what legal basis, who it is shared with, how long it is kept, and the rights you have. The short version: I collect the minimum needed to run the Site and serve clients, I never sell personal information, and there are no advertising trackers here.
1. Information I collect
Information you provide
- Contact form: name, email address, business name (optional), the topic you selected, and your message.
- Scheduling: if you book a call, the name, email, and time you enter into the embedded scheduling tool.
- Client engagements: if we work together, business information reasonably needed to deliver services (for example, process documentation, systems access you choose to grant, and billing details), governed additionally by our engagement agreement.
- Correspondence: emails, texts, and call notes you exchange with me.
Information collected automatically
- First-party analytics: page viewed, referring site, and device category (mobile/desktop). Visits are counted with a one-way identifier that rotates every 24 hours, is never stored alongside your IP address, and cannot identify you or follow you across days or sites. No third-party analytics run on this Site.
- Server logs: the hosting infrastructure records standard access logs (IP address, user agent, URLs requested, timestamps) for security, abuse prevention, and troubleshooting, retained on a rolling basis and then deleted.
- Cookies: one strictly-necessary session cookie that makes forms work securely (CSRF protection). No marketing, advertising, or cross-site cookies. Because only strictly-necessary cookies are used, no cookie consent banner is required, and there is nothing to opt out of.
What I do not collect
No sensitive-category data is sought (health, biometrics, precise geolocation, etc.). No advertising identifiers. No data purchased from brokers. No automated decision-making or profiling that produces legal or similarly significant effects.
2. Why I process it (legal bases)
- To respond and provide services: performance of a contract, or steps at your request before entering one (GDPR Art. 6(1)(b)).
- To operate and secure the Site, measure aggregate usage, and prevent abuse: legitimate interests (Art. 6(1)(f)), balanced against your rights via the minimal, pseudonymous design above.
- To meet legal obligations: tax, accounting, and lawful requests (Art. 6(1)(c)).
- With your consent where I ask for it explicitly (e.g., a testimonial): Art. 6(1)(a); you may withdraw consent at any time.
3. Who it is shared with
Personal information is disclosed only to service providers acting on documented instructions, and only as needed to run the Site and my practice:
- Web hosting (serves the Site, stores form submissions, keeps server logs)
- Email providers (deliver messages between us)
- Scheduling provider (processes bookings you initiate; acts under its own privacy policy for its account features)
- Professional advisers (accountant, attorney, insurer) under confidentiality, where relevant
- Authorities where disclosure is required by law, or to protect rights, safety, or the integrity of the Site
If the business is ever sold or merged, personal information may transfer as part of that transaction under equivalent protections. I do not sell or rent personal information, and I do not “share” it for cross-context behavioral advertising (as those terms are defined in the CPRA).
4. International transfers
I am based in the United States, and information is processed here. If you contact me from the EEA, UK, or Switzerland, you understand your information will be transferred to the US. Where required, transfers rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses with service providers, alongside the technical measures described below.
5. Retention
- Inquiries: kept while relevant to our conversation, then deleted; at most 24 months after last contact unless we begin an engagement.
- Client records: for the engagement plus the period required for legal, tax, and accounting purposes (typically up to 7 years).
- Analytics: aggregate by design; daily identifiers are unlinkable after 24 hours.
- Server logs: rolling short-term retention controlled by the host.
6. Your rights
Everyone: email hi@kolton.net and I will help, typically within 30 days, with identity verified first.
EEA/UK (GDPR): you have the rights of access, rectification, erasure, restriction, portability, and objection (including to legitimate-interest processing), and the right to withdraw consent. You may also lodge a complaint with your local supervisory authority, though I would appreciate the chance to resolve any concern directly first.
California (CCPA/CPRA): you have the right to know the categories and specific pieces of personal information collected (listed in Section 1), the sources (you; automatic collection), the business purposes (Section 2), and the categories of recipients (Section 3); the right to delete; the right to correct; and the right to non-discrimination. Because I do not sell or share personal information, there is nothing to opt out of. Global Privacy Control signals are still honored as an opt-out preference where applicable, and authorized agents may submit requests with proof of authorization.
Other US states (Virginia, Colorado, Connecticut, Utah, and similar): equivalent access, correction, deletion, and portability rights are honored on the same terms.
7. Security
HTTPS everywhere; admin access gated by one-time passcodes; application data blocked from direct web access; uploads prevented from executing as code; least-data-necessary design. If a breach ever creates a risk to you, I will notify affected people and regulators as applicable law requires, without undue delay.
8. Children
The Site is a business service not directed at children under 13 (or the age of consent where you live), and I do not knowingly collect their data. If you believe a child has provided information, contact me and it will be deleted.
9. Do Not Track & third-party links
Because the Site does not track you across sites, there is nothing for a Do Not Track signal to disable. You get the maximum setting by default. Linked or embedded third-party sites operate under their own policies.
10. Changes & contact
Updates will be posted here with a new “last updated” date; material changes will not apply retroactively. Data controller and contact for all privacy matters: Kolton Consulting, Santa Rosa Beach, Florida, USA. Email hi@kolton.net.