Privacy Policy
Updated: March 20, 2026
1. Overview
Capgist LLC (“Capgist,” “we,” “us,” or “our”) is a Wyoming single-member limited liability company that operates the Capgist platform (the “Platform”), a multi-tenant cloud-based software-as-a-service product for real estate fund management.
This Privacy Policy describes how we collect, use, store, share, and protect personal information when you use the Platform, visit our website, or otherwise interact with us. It applies to both General Partner (“GP”) customers who subscribe to and pay for the Platform and Limited Partner (“LP”) investors who access the Platform through their GP's invitation.
By using the Platform, you acknowledge that you have read and understood this Privacy Policy. If you are a GP, you agree to this Policy on behalf of yourself and your authorized users. If you are an LP, please also review Section 7 (Investor-Specific Data Practices) for information specific to how your data is managed.
2. Our Commitment to Data Privacy
We built Capgist to help fund managers run their operations with confidence. That mission requires trust, and trust requires an unambiguous commitment to how we handle your data. This section states our principles plainly, and the rest of this Policy provides the legal and technical detail behind each one.
We will never sell your data. Not to advertisers, not to data brokers, not to anyone, under any circumstances. This applies to every category of data we process: GP data, LP investor data, fund data, financial data, usage data, and any other information entrusted to us. This is not a qualified promise. It is absolute. We do not sell or share personal information as those terms are defined under the California Consumer Privacy Act (CCPA/CPRA), including for cross-context behavioral advertising. We do not sell personal information as defined under the Texas Data Privacy and Security Act (TDPSA), the Maryland Online Data Privacy Act (MODPA), or any other applicable state privacy law. Under MODPA, which prohibits the sale of sensitive data under all circumstances including with consumer consent, our practices comply fully because we do not sell any data of any kind. As of March 2026, twenty U.S. states have comprehensive privacy laws in effect, and our no-sale commitment satisfies every one of them.
We will never use your data for advertising. We do not display ads on the Platform. We do not allow third parties to advertise to you through the Platform. We do not share your data with any third party for advertising, marketing, or behavioral targeting purposes. We do not engage in cross-site tracking or cross-context behavioral advertising as defined under the CCPA/CPRA. We do not use tracking pixels, advertising cookies, or third-party marketing cookies. We honor universal opt-out preference signals (such as the Global Privacy Control) as required by California, Colorado, Connecticut, Delaware, Maryland, Minnesota, Montana, New Hampshire, New Jersey, Oregon, and Texas.
We will never share your data for third-party marketing. Your data is shared only with the service providers listed in Section 6, and only to the extent necessary to operate the Platform. Those providers are contractually prohibited from using your data for their own purposes.
We will never use your data to train AI models. We do not use your personal data, Customer Data, fund data, or any other information you provide to train artificial intelligence models, large language models, or machine learning systems. This applies to both our own systems and third-party systems. Effective July 1, 2026, Connecticut's amended CTDPA requires disclosure of whether a controller uses personal data for the purpose of training large language models. We state unequivocally: we do not.
We will delete your data when you ask. If you or your GP requests deletion of your data, we will honor that request within thirty (30) days, subject only to legally mandated retention requirements (such as audit log retention for financial record-keeping). We will confirm deletion in writing. We do not create barriers to deletion, and we do not charge fees for data subject requests. Under the CCPA's updated regulations effective January 1, 2026, California consumers may request access to personal information collected back to January 1, 2022. We will honor such requests to the extent we retain the data.
We collect only what is necessary. We adhere to the principle of data minimization as required by the CCPA/CPRA, MODPA, and other applicable state privacy laws. We collect personal information only to the extent reasonably necessary and proportionate to provide the Platform services you or your GP have requested. For sensitive personal information such as Social Security Numbers, we apply the stricter standard of strict necessity required under Maryland's MODPA: we collect SSNs only because they are required for tax reporting (K-1 generation), and we use them for no other purpose. Where state law requires opt-in consent before processing sensitive personal information—including Virginia, Colorado, Connecticut (as amended effective July 1, 2026, to encompass government-issued identification numbers), Oregon, Texas, Delaware, New Jersey, New Hampshire, Montana, Minnesota, Tennessee, Indiana, Kentucky, and Rhode Island—we obtain that consent.
We protect what we collect. Sensitive data receives enhanced technical protections, including field-level encryption for SSNs, multi-tenant isolation enforced at the database level, and signed time-limited URLs for document access. Our security architecture is described in detail in Section 9.
These commitments apply regardless of whether any particular privacy law requires them. They reflect how we believe a company handling sensitive financial and personal data should operate. We have validated each commitment in this section against the requirements of all twenty U.S. state comprehensive privacy laws in effect as of March 2026, the updated CCPA regulations effective January 1, 2026, and the MODPA enforcement provisions effective April 1, 2026.
3. Information We Collect
We collect personal information in the following categories. Where applicable, we have mapped these categories to the classifications used under the CCPA and similar state privacy laws.
3.1 Identifiers
Full legal name, email address, phone number, mailing address, Social Security Number (SSN) or Taxpayer Identification Number (TIN), and account credentials. SSNs and TINs are collected solely for tax reporting purposes (e.g., generation of K-1 forms). SSN/TIN handling is described in detail in Section 9.
3.2 Financial Information
Capital commitment amounts, capital call amounts, distribution amounts and allocations, waterfall calculation outputs, preferred return rates, investment dates, and other fund-related financial data entered by the GP.
3.3 Commercial Information
Subscription plan and tier, billing history, payment method metadata (last four digits of card, expiration date), transaction records with Stripe, and refund history. Capgist does not store full credit card numbers; all payment processing is handled by Stripe.
3.4 Internet and Electronic Activity
IP address, browser type and version, device type, operating system, pages viewed, features used, timestamps of access, and referring URLs. We collect this data through server logs and, where applicable, analytics tools.
3.5 Professional Information
Organization name, role (GP or LP), fund affiliation, title, and professional contact information.
3.6 Sensitive Personal Information
Social Security Numbers and Taxpayer Identification Numbers are classified as sensitive personal information under the CCPA, TDPSA, MODPA, and numerous other state privacy laws. We collect and process SSNs/TINs only for the purpose of tax reporting and only where the GP has confirmed a lawful basis for providing this information. Where required by applicable state law (including Virginia, Colorado, Connecticut, Oregon, Texas, Delaware, New Jersey, New Hampshire, Montana, Minnesota, Tennessee, Indiana, Kentucky, and Rhode Island), we require opt-in consent before processing SSNs. Under Maryland's MODPA, which prohibits the processing of sensitive data except where strictly necessary for the requested service, our SSN collection qualifies as strictly necessary for the tax reporting functionality that GPs have requested. We do not use or disclose sensitive personal information for any purpose other than providing the Platform services.
4. Sources of Information
(a) Directly from GP Customers: When GPs create an account, configure their fund, enter investor information, upload documents, or contact support.
(b) From GPs on Behalf of LPs: GPs provide LP personal information (name, email, SSN, mailing address, capital commitments) to the Platform as part of fund management. LPs do not independently provide most of this data to Capgist.
(c) Directly from LP Investors: When LPs log into the investor portal, update their profile, or contact support.
(d) Automatically: Through server logs and analytics when you access the Platform (IP address, usage data, device information).
(e) From Third-Party Service Providers: Payment information from Stripe; email delivery metadata from Resend, Gmail API, or Microsoft Graph API; bank account information from Plaid.
5. How We Use Your Information
We use personal information for the following purposes:
(a) Providing the Platform: Processing and displaying fund data, calculating waterfall distributions, generating investor statements, facilitating capital calls and distributions, hosting and serving documents, and enabling communications between GPs and LPs.
(b) Account Management: Creating and authenticating accounts, managing subscriptions and billing, processing payments through Stripe, and providing customer support.
(c) Tax Reporting Support: Storing SSNs/TINs to enable GPs to generate tax documents (such as K-1 forms) for their investors.
(d) Email Communications: Sending transactional emails (capital call notices, distribution notices, document sharing notifications, password resets, account alerts) through Resend (default), Gmail API (when GP connects via OAuth), or Microsoft Outlook/Graph API (when GP connects via OAuth).
(e) Security and Fraud Prevention: Monitoring for unauthorized access, enforcing multi-tenant data isolation, logging administrative actions for audit purposes, and investigating security incidents.
(f) Aggregated Analytics and Product Improvement: Creating, analyzing, and using aggregated and anonymized data derived from usage patterns, Platform activity, and service metrics for any lawful business purpose, including product improvement, industry analytics, benchmarking, and research. This data is stripped of all identifiers and cannot be re-identified to any individual, customer, investor, or fund. To the extent Capgist creates such data, it is not personal information under the CCPA, MODPA, TDPSA, or any other applicable state privacy law, and is owned by Capgist as set forth in the Terms of Service.
(g) Legal Compliance: Complying with applicable laws, regulations, legal processes, and governmental requests.
5.1 Legal Basis for Processing
For GP Customers: We process GP personal information on the basis of contractual necessity (performance of our Terms of Service) and, where applicable, legitimate interest in providing and improving the Platform.
For LP Investors: We process LP personal information on the basis of the GP's contractual relationship with Capgist and the GP's legitimate interest in managing their fund. The GP is the data controller for LP data; Capgist is a data processor acting at the GP's direction. Where required by applicable law, we rely on consent (particularly for sensitive personal information such as SSNs).
For Legal Obligations: We process certain data (including audit logs and tax-related information) to comply with legal and regulatory obligations, including financial record-keeping requirements.
6. How We Share Your Information
Consistent with our commitments in Section 2, we do not sell, rent, lease, or trade personal information. We do not share personal information with third parties for their advertising or marketing purposes. We share personal information only in the following limited circumstances:
(a) With Third-Party Service Providers (Sub-Processors): We share personal information with the following service providers, solely for the purposes described below. Each provider processes data on our behalf and is contractually obligated to protect it:
| Provider | Service | Data Processed | Infrastructure |
|---|---|---|---|
| Supabase | Database, auth, file storage, Edge Functions | All Customer Data, credentials, documents | AWS (us-east-1) |
| Vercel | Frontend hosting, CDN | IP addresses, browser data, usage logs | AWS Global Edge |
| Stripe | Subscription billing and payments | Name, email, payment method, billing history | Stripe infrastructure |
| Straddle | ACH payment processing (capital calls and distributions) | Name, bank account details, payment amounts, IP address | Straddle infrastructure |
| Plaid | Bank account linking and verification | Bank account and institution information | Plaid infrastructure |
| Resend | Default transactional email | Recipient email, name, email content | Resend / AWS SES |
| Google (Gmail API) | Email via GP OAuth | Recipient email, name, content, OAuth tokens | Google Cloud |
| Microsoft (Graph API) | Email via GP OAuth | Recipient email, name, content, OAuth tokens | Microsoft Azure |
(b) GP-to-LP Sharing: GPs share fund-related information (documents, capital call notices, distribution statements) with their LPs through the Platform's investor portal. Document visibility is controlled by the GP and may be set to all investors, specific investors, or internal-only.
(c) Legal Requirements: We may disclose personal information if required to do so by law, regulation, subpoena, court order, or other legal process, or if we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request.
(d) Business Transfers: In the event of a merger, acquisition, reorganization, or sale of all or substantially all of Capgist's assets, personal information may be transferred to the successor entity, provided the successor agrees to be bound by this Privacy Policy.
(e) With Your Consent: We may share personal information with your explicit consent for purposes not described in this Policy.
7. Investor-Specific Data Practices (LP Investors)
This section is specifically for Limited Partner investors who access the Capgist investor portal.
Your GP manages your data. Your General Partner (the fund manager who invited you to the Platform) is responsible for deciding what personal information about you is entered into Capgist, what documents are shared with you, and how your data is used within the Platform. Capgist processes your data on behalf of your GP.
Capgist is a data processor. In the context of your investor data, Capgist acts as a data processor (or service provider, under CCPA terminology). We process your information only as directed by your GP and as described in this Privacy Policy. We do not independently decide how your personal information is used.
Data access and deletion requests. If you want to access, correct, or delete your personal information, please contact your GP directly. Your GP can submit data access, correction, or deletion requests to Capgist on your behalf, and Capgist will honor those requests. If you are unable to reach your GP or believe your GP is not honoring your request, you may contact Capgist directly at privacy@capgist.com, and we will work to facilitate your request to the extent permitted by law and our obligations to the GP.
What we share with you. Through the investor portal, you can view: your portfolio summary, capital call details, distribution details, and documents that your GP has made visible to you. You cannot access documents that your GP has designated as internal-only.
8. Data Controller vs. Processor Roles
For clarity under applicable data protection laws:
Capgist as Data Controller: Capgist is the data controller for information collected directly for its own business purposes, including: GP account registration information, billing and subscription data, website analytics, and support communications.
Capgist as Data Processor: Capgist is the data processor (or service provider) for all LP investor personal information and all Customer Data entered by the GP into the Platform for fund management purposes. In this capacity, Capgist processes data only at the GP's direction and in accordance with our Terms of Service and our Data Processing Agreement (available upon request).
GP as Data Controller: The GP is the data controller for all LP investor data that it provides to or manages through the Platform. The GP is responsible for ensuring it has a lawful basis for processing LP data and for responding to LP data subject requests.
9. Data Storage and Security
9.1 Infrastructure
All customer data is stored on Supabase, which operates on Amazon Web Services (AWS) infrastructure. Frontend assets are served through Vercel. Documents (K-1s, quarterly reports, legal documents) are stored in Supabase Storage (backed by AWS S3) and accessed via signed, time-limited URLs. No customer data is stored on local servers, developer workstations, or any infrastructure outside of our production cloud environment.
9.2 Multi-Tenant Isolation
The Platform uses a multi-tenant architecture with strict logical data isolation. Every database table is scoped by a unique tenant identifier (tenant_id). Row-Level Security (RLS) policies are enforced at the PostgreSQL database level via Supabase, ensuring that database queries can only return data belonging to the authenticated tenant. One customer's data is never accessible to another customer.
9.3 SSN/TIN Encryption
Social Security Numbers and Taxpayer Identification Numbers receive enhanced protection:
(a) Encryption at rest: Full SSNs/TINs are encrypted using AES-GCM symmetric encryption with PBKDF2-derived keys before being stored in the database. The encryption key is derived from a master secret that is stored separately from the database.
(b) Plaintext storage limited to last four digits: Only the last four digits of the SSN/TIN are stored in plaintext, for identification and verification purposes only.
(c) No display after entry: Full SSNs are never displayed in the Platform's user interface after initial entry. Users see only the masked format (***-**-1234).
(d) Access controls: Encrypted SSN data is accessible only to authorized GP administrator users and only for the purpose of tax document generation.
9.4 Authentication and Access Control
The Platform uses Supabase Auth with PKCE (Proof Key for Code Exchange) flow. Four role levels exist: admin (GP administrators with full fund management access), privileged viewer (GP team members with elevated read access), viewer (LP investors with access to their own portfolio data), and platform administrator (Capgist internal, used solely for platform operations and support). Multi-factor authentication (MFA) is supported by the Platform's authentication infrastructure. Password resets are handled via authenticated, time-limited email links.
9.5 Audit Logging
Sensitive and security-relevant administrative actions (including SSN access, investor data changes, email sends, and authentication events) are logged with timestamp, user identity, action type, and affected record. Audit logs are retained for the life of the active account and for seven (7) years after account termination, consistent with financial record-keeping best practices.
9.6 Document Access Controls
Documents stored in the document vault are accessed through signed, time-limited URLs that expire after a short period. Documents are served only to authenticated users with appropriate permissions. GPs control document visibility at three levels: visible to all investors in the fund, visible to specific named investors, or internal-only (never accessible to any investor).
10. Email Data Flow
The Platform sends emails through one of three providers, depending on the GP's configuration:
(a) Resend (Default): If the GP has not connected a custom email account, transactional emails are sent through Resend, Inc. using Capgist's sending domain. Resend receives the recipient's email address, name, and the email content.
(b) Gmail API: If the GP connects their Google Workspace or Gmail account via OAuth, emails are sent through the Gmail API using the GP's email address as the sender. Capgist stores the OAuth token in the GP's tenant record. Capgist does not access the GP's inbox or email history; the OAuth scope is limited to sending emails.
(c) Microsoft Outlook / Graph API: If the GP connects their Microsoft 365 or Outlook account via OAuth, emails are sent through the Microsoft Graph API using the GP's email address as the sender. Capgist stores the OAuth token in the GP's tenant record. Capgist does not access the GP's inbox or email history; the OAuth scope is limited to sending emails.
In all cases, OAuth tokens are stored encrypted within the GP's tenant record and are not accessible to other tenants.
11. Data Retention
(a) Active Accounts: Customer Data is retained for the life of the active account.
(b) Terminated Accounts: Upon account termination, the GP may request a data export within thirty (30) days. After the export window closes, all Customer Data (including LP investor data, fund data, documents, and encrypted SSNs) is permanently deleted within thirty (30) additional days.
(c) Audit Logs: Audit logs are retained for seven (7) years after account termination, consistent with financial record-keeping best practices and applicable regulations.
(d) Aggregated Data: Aggregated and anonymized data that cannot be re-identified to any individual, customer, investor, or fund may be retained indefinitely. Because this data does not constitute personal information under applicable law, its retention and use are not subject to the data subject rights or deletion obligations described in this Policy.
(e) Backup Deletion: Data that exists in backups will be deleted as backups are rotated in the ordinary course, but in no event later than ninety (90) days after deletion from the primary database.
(f) Data Deletion Requests: Capgist will honor any data deletion request submitted by a GP on behalf of themselves or their investors. Upon receiving a valid deletion request, we will delete the specified data within thirty (30) days, subject to legal retention requirements. We will confirm deletion in writing.
12. Data Breach Notification
In the event of a confirmed security breach involving unauthorized access to unencrypted personal information:
(a) Investigation. We will promptly investigate to determine the nature, scope, categories of data involved, and individuals affected.
(b) Notification to Regulators. Where required by law, we will notify the appropriate state Attorney General or regulatory authority, including prior to individual notification where required by state law (such as New Hampshire, New Jersey, Maryland, and Florida for breaches affecting 500 or more individuals).
(c) Notification to Individuals. Within seventy-two (72) hours of breach confirmation (completion of a good-faith investigation determining that personal information was accessed by an unauthorized party), we will notify affected individuals by email, including: a description of the incident and estimated date; the types of personal information involved; steps taken in response; steps individuals can take to protect themselves; and contact information for Capgist, the FTC, and applicable state agencies.
(d) Credit Monitoring. If Social Security Numbers or financial account information are involved in the breach, we will offer affected individuals information about identity theft protection resources, and where required by applicable law or where we determine it is appropriate under the circumstances, we will provide complimentary credit monitoring services at no cost to affected individuals.
(e) GP Notification. If LP investor data is involved, we will notify the affected GP(s) promptly so that the GP can fulfill its own notification obligations to its investors.
(f) Law Enforcement Exception. Notification may be delayed at law enforcement's request if notification would impede a criminal investigation, as permitted by applicable law.
13. Cookies and Tracking Technologies
The Platform uses strictly necessary cookies for authentication, session management, and security (such as CSRF protection). We do not use advertising cookies, tracking pixels, or third-party marketing cookies. We do not engage in cross-site tracking or behavioral advertising. We do not respond to universal opt-out preference signals because we do not engage in any activity that such signals are designed to restrict; however, we recognize and respect them as an expression of user preference.
If we introduce analytics cookies in the future, we will update this Privacy Policy and provide notice and, where required, obtain consent prior to deployment.
14. Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal information:
(a) Right to Access: Request a copy of the personal information we hold about you.
(b) Right to Correction: Request correction of inaccurate or incomplete personal information.
(c) Right to Deletion: Request deletion of your personal information, subject to legal retention requirements. We will honor all valid deletion requests.
(d) Right to Data Portability: Request your personal information in a structured, commonly used, and machine-readable format.
(e) Right to Object: Object to the processing of your personal information in certain circumstances.
(f) Right to Restrict Processing: Request that we limit our processing of your personal information in certain circumstances.
(g) Right to Withdraw Consent: Where processing is based on consent, withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing prior to withdrawal. We will cease processing within fifteen (15) days of receiving a consent withdrawal request.
To exercise any of these rights, contact us at privacy@capgist.com. We will verify your identity and respond within thirty (30) days, or within the timeframe required by applicable law. We will not discriminate against you for exercising your rights.
LP investors: Please direct data requests to your GP in the first instance, as described in Section 7. If you are unable to resolve your request through your GP, contact us directly.
15. State-Specific Privacy Rights
As of the effective date of this Policy, comprehensive consumer data privacy laws are in effect in over twenty U.S. states, with additional states enacting or amending their laws on an ongoing basis. If you are a resident of any state with applicable consumer data privacy legislation, you may have additional rights regarding your personal information. This section addresses the states with the most significant requirements relevant to Capgist's operations.
15.1 California (CCPA/CPRA)
California residents have the right to know, delete, correct, and opt out of the sale or sharing of personal information. Capgist does not sell personal information and does not share personal information for cross-context behavioral advertising. You have the right to limit the use of sensitive personal information (including SSNs) to purposes necessary to provide the service. We collect the following CCPA categories: Identifiers (name, email, SSN/TIN, account ID); Financial information (commitment amounts, distribution records); Commercial information (subscription records, transaction history); Internet/electronic activity (usage data, page views, feature usage); and Professional information (organization, role, fund affiliation). California's automated decision-making technology (ADMT) regulations, effective January 1, 2026, require opt-out rights where ADMT replaces or substantially replaces human decision-making. Capgist's waterfall distribution engine is a computational tool that assists human decision-making; GPs are required to independently verify all outputs before acting on them.
15.2 Maryland (MODPA)
The Maryland Online Data Privacy Act (MODPA), which applies to personal data processing activities from April 1, 2026, imposes a stricter standard than most state laws. MODPA prohibits the sale of sensitive data under all circumstances, including with consumer consent, and requires that sensitive data processing be “strictly necessary” to provide a requested service. Capgist's processing of SSNs meets this standard because SSN collection is strictly necessary for the tax reporting functionality that GPs have requested. Capgist does not sell any personal data and does not process sensitive data for any purpose beyond providing the Platform services. MODPA also requires recognition of universal opt-out preference signals; while Capgist does not engage in activities targeted by such signals, we recognize and respect them.
15.3 Texas (TDPSA)
The Texas Data Privacy and Security Act has no revenue threshold for applicability. Capgist requires opt-in consent before processing sensitive data (including SSNs) of Texas residents and does not sell personal information. Capgist supports the universal opt-out mechanism required under Texas law.
15.4 Other State Laws
Under the Virginia CDPA, Colorado CPA, Connecticut CTDPA (as amended effective July 1, 2026, to include expanded sensitive data categories), Oregon OCPA, Montana MCDPA (with its lower 25,000-consumer threshold), Minnesota MCDPA, Tennessee TIPA, Delaware DPDPA, New Hampshire Privacy Act, New Jersey NJDPA, Nebraska NDPA, Iowa ICDPA, Indiana INCDPA, Kentucky KCDPA, and Rhode Island RIDTPPA (all effective January 1, 2026 or earlier), you may have the right to access, correct, delete, and obtain a copy of your personal information, as well as the right to opt out of targeted advertising, sale of personal information, and certain profiling activities. Capgist does not engage in any of these activities. Where required by state law, we obtain opt-in consent before processing sensitive personal information including SSNs.
15.5 Exercising Your Rights
To exercise any state-specific privacy right, contact us at privacy@capgist.com. We will verify your identity and respond within forty-five (45) calendar days, with an optional forty-five (45) day extension if reasonably necessary and we provide notice of the extension. We will not discriminate against you for exercising your rights. If we decline a request, we will explain the reason and inform you of your right to appeal.
16. International Users and GDPR
Capgist is based in the United States and primarily serves U.S.-based customers. If you access the Platform from outside the United States, your personal information will be transferred to and processed in the United States.
If the European Union General Data Protection Regulation (GDPR) or the UK GDPR applies to you, you have the rights described in Section 14 of this Policy. In addition, you have the right to lodge a complaint with your local supervisory authority. Our legal bases for processing are: performance of a contract (for GP customers); legitimate interests of the GP data controller (for LP data processing); consent (for sensitive personal information where required); and compliance with legal obligations.
Where required, we will enter into Standard Contractual Clauses (SCCs) or other appropriate data transfer mechanisms to ensure adequate protection for international data transfers. GPs requiring a Data Processing Agreement with EU Standard Contractual Clauses should contact legal@capgist.com.
17. Children's Privacy
The Platform is designed for use by businesses and accredited investors. It is not directed at children under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will delete that information promptly. If you believe a child under 18 has provided personal information to us, please contact us at privacy@capgist.com. This provision is consistent with enhanced minor protections under state privacy laws including Maryland, Connecticut, Delaware, Montana, and others that extend protections to individuals under 18.
18. Do Not Track Disclosure
The Platform does not respond to “Do Not Track” browser signals. However, as described in Section 13, we do not engage in cross-site tracking or behavioral advertising, so the practical effect is the same regardless of your DNT setting. We recognize and respect universal opt-out preference signals (such as Global Privacy Control) as described in Sections 13 and 15.
19. Changes to This Policy
We may update this Privacy Policy from time to time. We will provide at least thirty (30) days' advance written notice of material changes by sending an email to the address associated with your account. The updated Policy will specify the new effective date. Your continued use of the Platform after the effective date constitutes your acceptance of the changes.
20. Contact
If you have questions about this Privacy Policy, your personal information, or our data practices, please contact us:
Capgist LLC
- Privacy inquiries: privacy@capgist.com
- General legal: legal@capgist.com
- Security concerns: security@capgist.com
- Support: support@capgist.com