My Marketplace

1. Privacy Policy Overview

Entropy Partners, Inc. ("Company," "we," "us," "our," or "Entropy Partners") is committed to protecting your privacy and ensuring transparent data practices. This Privacy Policy describes how we collect, use, process, share, and protect your personal information when you access our website, use our Service (including datasets, platform, and related offerings), create an account, make purchases, or interact with us in any way (collectively, the "Service").

This Privacy Policy applies to all individuals, whether customers, partners, visitors, or prospective users. We comply with applicable privacy laws including the GDPR (EU), CCPA (California), VCDPA (Virginia), LGPD (Brazil), and other jurisdictional requirements.

If you do not agree with our privacy practices, please do not use the Service. Your continued use constitutes acceptance of this Privacy Policy.

2. Definitions

"Personal Information" or "Personal Data" means any information that identifies, relates to, or could reasonably be linked with an individual, including but not limited to: name, email, phone number, IP address, cookie identifiers, account credentials, transaction history, and usage data.

"Processing" means any operation performed on Personal Data, including collection, storage, use, analysis, transfer, deletion, or disclosure.

"Data Controller" means the entity that determines the purposes and means of Personal Data processing (Entropy Partners, Inc.).

"Data Processor" means an entity that processes Personal Data on behalf of the Controller (e.g., cloud hosting providers, payment processors).

"Data Subject" means the individual to whom Personal Data relates.

"Sensitive Personal Data" means categories of data requiring enhanced protection, including racial/ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, or data concerning sex life or sexual orientation.

3. Information We Collect

3.1 Information You Provide Directly

Account Registration: Name, email address, company name, job title, phone number, mailing address, tax ID (for S-corp verification), and business entity information.
Payment Information: Credit card, bank account details, billing address, and transaction history. Payment processing is handled by third-party payment processors (e.g., Stripe); we do not store full credit card numbers.
Customer Materials: Any annotations, feedback, test data, prompts, or other content you provide for dataset development, evaluation, or curation services.
Communications: Messages, emails, support tickets, feedback, survey responses, and any information you provide when contacting us.
Order and License Information: Details of Orders, license terms, scope, field-of-use, and exclusivity arrangements.

3.2 Information Collected Automatically

Usage Data: Pages visited, features used, links clicked, time spent, search queries, downloads, upload history, and Dataset access patterns.
Device and Network Information: IP address, browser type, operating system, device identifiers, referring URL, device type, and network provider.
Cookies and Tracking: Session identifiers, authentication tokens, preferences, analytics cookies, and retargeting pixels (see Section 11 for details).
Log Data: Server logs including timestamps, error messages, and technical performance metrics.
Geolocation Data: Approximate location derived from IP address (not precise GPS).

3.3 Information from Third Parties

Business Verification: Credit reports, sanctions lists, tax verification services, and identity verification providers (for Orders >USD 50,000).
Analytics Providers: Anonymized usage and traffic data from Google Analytics, Mixpanel, or similar services.
Payment Processors: Transaction status, payment verification, and fraud signals from Stripe or other payment gateways.
Public Sources: OFAC/sanctions list screening, business registration databases, and publicly available professional information.
Social Media: If you link your social media account or sign in via OAuth, we may collect profile information (name, email, avatar).

3.4 Sensitive Information

We do NOT intentionally collect Sensitive Personal Data. However, if your Custom Dataset Order involves processing sensitive data (e.g., data related to health, criminal convictions, or race), we will execute a separate Data Processing Addendum (DPA) that governs such processing and includes appropriate safeguards.

4. How We Use Your Information

4.1 Service Delivery and Account Management

Creating and maintaining your account;
Processing Orders, licenses, and payments;
Delivering Datasets and downloading files;
Providing customer support and technical assistance;
Sending service updates, maintenance notices, and account alerts.

4.2 Legal and Regulatory Compliance

Verifying your identity and business status;
Screening against sanctions and regulatory lists (OFAC, BIS, SDN);
Verifying S-corp election and tax documentation (for US businesses);
Preventing fraud, money laundering, and illegal use;
Complying with legal obligations, court orders, and government requests;
Maintaining audit logs and compliance records (7 years retention).

4.3 Analytics and Service Improvement

Analyzing usage patterns to improve Service quality;
Identifying trends, feature adoption, and user behavior;
Conducting quality assurance and performance testing;
Developing anonymized insights for business intelligence.

4.4 Marketing and Communications

Sending promotional emails, product updates, and newsletter content (with opt-out);
Conducting customer surveys and feedback requests;
Identifying you as a customer in case studies and testimonials (with opt-out);
Retargeting via advertising networks (with cookie consent).

4.5 Security and Fraud Prevention

Detecting unauthorized access and suspicious activity;
Preventing, detecting, and responding to fraud, security incidents, and abuse;
Enforcing Terms of Service and investigating violations.

4.6 Custom Dataset Development

Processing Customer Materials (annotations, feedback, data) per your Order;
Conducting vetting, quality assurance, and legal review;
Creating and curating Datasets tailored to your specifications;
Training internal models to improve curation quality (with appropriate safeguards).

5. Legal Basis for Processing (GDPR)

Under GDPR and similar laws, we rely on the following lawful bases for processing your Personal Data:

Contract Fulfillment (Article 6(1)(b)): Processing necessary to perform our Services, Orders, and license agreements.
Legal Obligation (Article 6(1)(c)): Compliance with tax, anti-money laundering, sanctions, and regulatory requirements.
Legitimate Interests (Article 6(1)(f)): Fraud prevention, security, analytics, service improvement, and marketing (balanced against your rights).
Consent (Article 6(1)(a)): For marketing emails, cookies, and non-essential processing (can be withdrawn anytime).
Vital Interests: Emergency situations where processing is necessary to protect someone's life.

For Sensitive Personal Data, we rely on Article 9 exceptions including explicit consent, employment law compliance, or public interest in health/safety contexts.

7. International Data Transfers

7.1 Cross-Border Processing

Entropy Partners is a US-based company (Delaware). Personal Data is primarily processed and stored in the United States. If you are located outside the US (e.g., EU, UK, MENA), your Personal Data will be transferred to and stored in the US, which may have different privacy protections than your home country.

7.2 GDPR Data Transfer Mechanisms

For EU and UK residents, we implement lawful transfer mechanisms including:

Standard Contractual Clauses (SCCs): Adopted by EU regulators for US transfers; incorporated into our Data Processing Addendum.
Adequacy Decisions: Where applicable (e.g., post-Brexit arrangements with UK).
Explicit Consent: You may explicitly consent to transfer under Article 49(1)(a) GDPR.

7.3 Your Acceptance

By using the Service, you acknowledge that your Personal Data will be transferred to, processed in, and stored in the United States. If you do not consent to such transfer, please do not use the Service.

7.4 Data Storage Location Options

For enterprise Orders involving sensitive data, we may accommodate data residency requirements (e.g., EU data remaining in EU zones) at additional cost. Contact legal@entropyauction.com to discuss options.

8. Data Retention and Deletion

8.1 Retention Periods by Data Type

Account and Profile Information: Retained while your account is active; deleted within 90 days of account termination (unless legally required to retain).
Payment and Transaction Data: Retained for seven (7) years for tax, audit, and compliance purposes (IRS requirement).
License and Order Records: Retained for seven (7) years for dispute resolution and audit purposes.
Customer Support Communications: Retained for three (3) years for service quality and dispute resolution.
Compliance Records (KYC, Sanctions Screening): Retained for ten (10) years per AML/KYC regulations.
Usage and Analytics Data: Anonymized usage data retained indefinitely; personally identifiable usage logs deleted after 12 months.
Marketing and Cookies: Deleted upon opt-out or expiration of consent; persistent cookies retained for up to 24 months.
Backups and Archives: Retained for up to 12 months for disaster recovery and compliance.

8.2 Your Deletion Rights

You have the right to request deletion of your Personal Data, subject to legal holds and retention requirements. We will delete your data within 30 days where legally permitted, except where we must retain for compliance, dispute resolution, or audit purposes.

8.3 Residual Data

Even after deletion, anonymized or aggregated data derived from your Personal Data may be retained indefinitely for analytics, research, and service improvement.

9. Security and Data Protection

9.1 Security Measures

We implement industry-standard security controls to protect Personal Data against unauthorized access, alteration, disclosure, and destruction, including:

Encryption in transit (TLS/SSL) and at rest (AES-256 or equivalent);
Firewalls, intrusion detection systems, and DDoS protection;
Multi-factor authentication (MFA) for account access;
Access controls restricting data access to authorized personnel only;
Regular security audits, penetration testing, and vulnerability assessments;
Secure data deletion procedures and device wiping;
Business continuity and disaster recovery plans.

9.2 Limitations

No security system is 100% secure. While we strive to protect your data, we cannot guarantee absolute security. You assume some risk by using the Service and transmitting data over the internet.

9.3 Data Breach Notification

If we discover a breach involving Personal Data, we will notify affected individuals and regulatory authorities (where required) without undue delay and no later than 72 hours under GDPR. Notifications will include a description of the breach, likely impact, and steps individuals can take.

9.4 Employee Training and Confidentiality

Our employees are trained on privacy and security practices. All employees and contractors sign confidentiality agreements and are prohibited from disclosing Personal Data.

10. Your Privacy Rights and Choices

10.1 Universal Rights (All Jurisdictions)

Access: Right to request and receive a copy of your Personal Data.
Correction: Right to correct inaccurate or incomplete Personal Data.
Deletion: Right to request deletion of your Personal Data (subject to legal holds).
Opt-Out of Marketing: Right to unsubscribe from promotional emails and marketing communications.
Transparency: Right to receive this Privacy Policy and understand how we process your data.

10.2 Exercising Your Rights

To exercise any rights, submit a written request to privacy@entropyauction.com or legal@entropyauction.com with:

Your full name and account email;
Description of the request (access, correction, deletion, etc.);
Any supporting documentation;
Your preferred method of response.

We will respond within thirty (30) days (or as required by law). We may request additional information to verify your identity before fulfilling requests.

10.3 Right to Non-Discrimination

We will not discriminate against you for exercising privacy rights. You will not face penalties, denial of service, or reduced functionality if you exercise CCPA, GDPR, or other privacy rights.

10.4 Do Not Track (DNT)

Some browsers include DNT features. We honor DNT signals where technically feasible by limiting tracking cookies and analytics (if you enable DNT). However, we may still retain necessary cookies for security and account management.

11. Cookies and Tracking Technologies

11.1 Cookie Types

Essential Cookies: Required for account authentication, security, and service functionality (always enabled; no consent required).
Analytics Cookies: Track usage patterns via Google Analytics, Mixpanel (requires consent).
Marketing/Retargeting Cookies: Enable retargeting ads on third-party platforms (requires consent).
Preference Cookies: Remember your language, theme, and display preferences (requires consent).

11.2 Cookie Consent

On first visit, we display a cookie consent banner. You can:

Accept All: Enable all cookies (analytics, marketing, preferences).
Reject Non-Essential: Disable analytics and marketing cookies; essential cookies remain.
Customize: Choose specific cookie categories via cookie settings page.

You can change cookie settings anytime via account preferences or by clearing your browser cookies. If you reject non-essential cookies, some features (e.g., retargeting ads) will not function.

11.3 Third-Party Cookies and Tracking

Third-party partners (Google Analytics, Facebook Pixel, LinkedIn) may place cookies and track your activity. We are not responsible for their tracking practices; review their privacy policies for details.

11.4 Web Beacons and Pixel Tags

We may use web beacons (invisible pixels) in emails and web pages to track open rates, clicks, and conversions. You can disable pixel tracking in email client settings.

12. Third-Party Services and Links

12.1 Third-Party Links

Our website may contain links to third-party websites (e.g., partners, service providers, social media). We are not responsible for their privacy practices. We recommend reviewing their privacy policies before sharing personal information.

12.2 Social Media Integration

If you link your social media account (LinkedIn, Google, GitHub), we may collect profile information (name, email, avatar). You control the scopes of data shared via social platform settings. Disconnecting your social account will stop further data sharing.

12.3 API and Third-Party Integrations

If you connect third-party tools (Zapier, Make, etc.), you authorize data sharing per those tools' privacy policies. We are not responsible for their data handling.

13. Children and COPPA Compliance

13.1 Age Restriction

The Service is not directed to individuals under 13 years of age. We do not knowingly collect Personal Data from children under 13. If we discover that a child under 13 has created an account or provided personal information, we will delete such data immediately and notify parents/guardians.

13.2 COPPA Compliance

For US users, we comply with the Children's Online Privacy Protection Act (COPPA). Parents/guardians of children under 13 who believe their child has provided information should contact privacy@entropyauction.com immediately.

13.3 Teen Users (13-18)

Teen users (13-18) may use the Service with parental consent. We encourage parents to discuss online privacy and monitor usage. Teens can request deletion of their account and Personal Data.

14. California Privacy Rights (CCPA/CPRA)

14.1 Applicability

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) apply to your Personal Information (unless exempt).

14.2 California Consumer Rights

Right to Know: You may request disclosure of: (a) categories and specific pieces of Personal Information we have collected; (b) sources of collection; (c) purposes for collection; (d) categories of third parties with whom we share information.
Right to Delete: You may request deletion of Personal Information collected from you, subject to exceptions (e.g., where necessary to complete transactions or comply with law).
Right to Correct: You may request correction of inaccurate Personal Information.
Right to Opt-Out of Sale/Sharing: You may opt-out of the "sale" or "sharing" of Personal Information. We do not sell data for monetary consideration but may share data for targeted advertising purposes; you can opt-out.
Right to Limit Use and Disclosure: You may request that we limit use of Sensitive Personal Information to purposes necessary to provide the Service.
Right to Non-Discrimination: We will not deny service, charge different prices, or provide different quality of service based on your privacy choices (except as permitted by law).
Right to Authorized Agent: You may designate an authorized agent to submit requests on your behalf.

14.3 How to Exercise California Rights

Submit requests via email to privacy@entropyauction.com or legal@entropyauction.com with subject line "CCPA Request." Include your name, email, and specific right requested. We will respond within 45 days (extendable by 45 days for complex requests).

To opt-out of targeted advertising/data sharing, click the "Do Not Sell or Share My Personal Information" link in the footer, or enable your browser's Global Opt-Out signal (CalOPPA).

14.4 California Shine the Light Law

Under California's Shine the Light law, you may request disclosure of categories of Personal Information we have shared with third parties for their direct marketing purposes. Submit requests to privacy@entropyauction.com.

15. Virginia Privacy Rights (VCDPA)

15.1 Applicability

If you are a Virginia resident, the Virginia Consumer Data Protection Act (VCDPA) applies to your Personal Data.

15.2 Virginia Consumer Rights

Right to Know: Request disclosure of categories and specific pieces of Personal Data we collect and how we use it.
Right to Delete: Request deletion of Personal Data (subject to lawful exceptions).
Right to Correct: Request correction of inaccurate Personal Data.
Right to Data Portability: Request a copy of your Personal Data in a portable format.
Right to Opt-Out: Opt-out of targeted advertising and profiling for marketing purposes.
Right to Appeal: Appeal our denial of a rights request to privacy@entropyauction.com.

15.3 How to Exercise Virginia Rights

Submit requests to privacy@entropyauction.com. We will respond within 45 days. Minors (13-17) may submit requests independently or via parent/guardian.

16. European Union Rights (GDPR)

16.1 Applicability

If you are located in the EU, UK, or EEA, GDPR applies to your Personal Data processing by Entropy Partners.

16.2 GDPR Rights

Right of Access (Article 15): Right to obtain a copy of your Personal Data and information about processing.
Right to Rectification (Article 16): Right to correct inaccurate or incomplete Personal Data.
Right to Erasure (Article 17): Right to deletion of Personal Data ("right to be forgotten") under certain conditions.
Right to Restrict Processing (Article 18): Right to limit how your data is processed.
Right to Data Portability (Article 20): Right to receive your Personal Data in a structured, portable format and transmit to another controller.
Right to Object (Article 21): Right to object to processing based on legitimate interests or direct marketing.
Rights Related to Automated Decision-Making (Article 22): Right not to be subject to solely automated profiling with legal effects.
Right to Withdraw Consent (Article 7): Right to withdraw consent at any time (does not affect prior processing).

16.3 Data Protection Officer and Complaints

You may contact our Data Protection Officer at privacy@entropyauction.com. If you believe we have violated GDPR, you have the right to lodge a complaint with your national Data Protection Authority (e.g., CNIL in France, ICO in UK, DPA in Ireland).

16.4 Standard Contractual Clauses

For data transfers from EU to US, we use Standard Contractual Clauses (SCCs) incorporated into our Data Processing Addendum. SCCs are subject to transfer impact assessments as required by GDPR.

17. Brazil Privacy Rights (LGPD)

17.1 Applicability

If you are a Brazilian resident, the Lei Geral de Proteção de Dados (LGPD) applies to your Personal Data.

17.2 LGPD Rights

Right of Access: Request disclosure of your Personal Data we hold and how it is processed.
Right to Rectification: Request correction of inaccurate data.
Right to Deletion: Request deletion of Personal Data (subject to legal exceptions).
Right to Data Portability: Request your data in a portable format.
Right to Object: Object to processing based on legitimate interests.
Right to Withdraw Consent: Withdraw previously given consent.

17.3 LGPD Compliance

We act as a Data Controller for your Personal Data. For LGPD-specific inquiries, contact privacy@entropyauction.com. We will respond within 15 days. You may escalate complaints to the Brazilian National Data Protection Authority (ANPD).

18. Changes to This Privacy Policy

18.1 Policy Updates

We may update this Privacy Policy at any time to reflect changes in our practices, technology, legal requirements, or other factors. We will post the updated policy on the Service with a new "Last Updated" date.

18.2 Material Changes

For material changes (e.g., new data sharing, significantly reduced privacy protections), we will provide prominent notice via email, in-app notification, or banner notification at least 30 days before the change takes effect. Your continued use constitutes acceptance of the updated policy.

18.3 Archived Versions

Previous versions of this Privacy Policy are available upon request for audit and compliance purposes.

19. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact:

Entropy Partners, Inc.
Data Protection Officer / Privacy Team
Email: privacy@entropyauction.com
Legal Inquiries: legal@entropyauction.com
General Support: support@entropyauction.com
Website: entropyauction.com
Mailing Address: [To be provided upon request]

We aim to respond to all privacy inquiries within fifteen (15) business days. For EU/EEA residents, you may also contact your national Data Protection Authority if we do not resolve your concern.