Privacy Policy

CodeAspen Solutions LLC is an AI and automation consulting agency headquartered in Houston, Texas. We provide AI strategy, custom automation, and data engineering services to businesses across the United States.

When you submit our contact form or otherwise reach out to us, we collect:

• Name — first and last name
• Email address — business or personal email
• Phone number — if provided (optional)
• Company name — if provided
• Industry — selected from provided options
• Budget range — selected from provided options
• Timeline — selected from provided options
• Project description — free-text message content
• Conversational content — text of any messages you send to our conversational interface, including any contact details, company information, or project details you choose to share

If you elect to submit a lead through the conversational interface, the interface may request at least one of an email address or a phone number, along with your name. Conversation content associated with a lead may be retained as part of that lead record.

When you visit our website, our hosting infrastructure and third-party services may automatically collect:

• IP address
• Browser type and version
• Operating system
• Referring URL
• Pages visited and time spent
• Device identifiers
• Conversational session identifiers — when you interact with our conversational interface, we generate identifiers that allow us to associate messages with a single conversation and to associate multiple conversations with the same browser
• Operational telemetry — message counts, processing latency, and error events used to monitor reliability, cost, and abuse

We use privacy-focused analytics and advertising-measurement technologies on this website. These technologies — together with the first-party cookies we set for click and campaign attribution — are described in detail in Section 11 ("Cookies & Tracking Technologies").

This website loads typefaces from a third-party web typography provider. When fonts are loaded from the provider's content delivery network, the provider may receive your IP address, the URL of the page you are visiting, and certain HTTP header data (such as your browser user-agent and referrer). The provider's use of this data is governed by its own privacy policy.

We do not knowingly collect:

• Social Security numbers or government-issued identification numbers
• Financial account or payment card information through this website
• Biometric data
• Precise geolocation data
• Health or medical information
• Information from children under the age of 13

We use the personal information we collect for the following purposes:

• Responding to inquiries — to reply to your contact form submission and discuss potential engagements
• Service delivery — to provide AI, automation, and data engineering services you have engaged us for
• Communication — to send you project updates, invoices, and service-related communications
• Legal compliance — to comply with applicable laws, regulations, legal processes, or enforceable government requests
• Security — to protect against unauthorized access, fraud, and other security threats
• Website operation — to maintain, improve, and ensure the functionality of our website
• Advertising measurement and attribution — to measure the effectiveness of our advertising campaigns, attribute leads to the campaigns that produced them, and build audiences for future advertising (see Section 11 for the technologies involved and Section 9 for your California opt-out rights)

We do not sell your personal information for money. We do not use your data to train AI models. We do share limited personal information (including hashed email, hashed phone, IP address, and click identifiers) with our advertising-measurement platforms for advertising measurement and audience building, as described in Section 11. Under California law, this may qualify as "sharing" for cross-context behavioral advertising — see Section 9 for your opt-out rights.

We share personal information with categories of service providers ("processors") solely for the purposes described in this policy. Each such processor is contractually obligated to use the data only as we direct and to implement appropriate security measures. Where a processor's identity is material to a visitor's exercise of their privacy rights, we may disclose that identity in response to a verified privacy request.

We may also share information with professional advisors (legal, accounting) as needed, and with law enforcement or government authorities when required by law.

We retain personal information only for as long as reasonably necessary to fulfill the purposes described in this policy, unless a longer retention period is required or permitted by law. Specifically:

• Contact form submissions — retained for the duration of any resulting business relationship and for a reasonable period thereafter for legal and accounting purposes
• Conversational interface transcripts — retained for the duration of any resulting business relationship and for a reasonable period thereafter for legal and operational purposes
• Server logs — retained per our hosting provider's standard log retention schedules
• Email records — retained in accordance with our email provider's standard practices

You may request deletion of your personal information at any time (see "Your Privacy Rights" below).

Deletion applies to records held by us and our processors that we directly control. Our AI / LLM service provider may retain API request data for up to 30 days under its own trust-and-safety retention schedule, independent of our retention; we cannot accelerate that timeline.

We implement reasonable administrative, technical, and physical safeguards designed to protect the personal information we collect. These measures include:

• Encryption in transit — all data transmitted between your browser and our servers is encrypted using TLS (HTTPS)
• Encryption at rest — database records are encrypted at rest by our infrastructure provider
• Access controls — access to personal data is restricted to authorized personnel on a need-to-know basis
• Security headers — our website implements HSTS, Content-Security-Policy, X-Content-Type-Options, X-Frame-Options, and other security headers
• Rate limiting — form submissions are rate-limited to prevent abuse
• Input validation — all user inputs are validated and sanitized server-side
• Row-level security — database access controls enforce field-level validation as defense-in-depth

No method of electronic transmission or storage is 100% secure. While we strive to protect your personal information, we cannot guarantee absolute security.

Depending on your state of residence, you may have the following rights under applicable privacy laws, including the Texas Data Privacy and Security Act (TDPSA), the California Consumer Privacy Act (CCPA/CPRA), and other state privacy statutes:

How to Exercise Your Rights

To submit a privacy rights request, email us at daniyal@codeaspen.com with the subject line "Privacy Rights Request." Please include:

• Your full name and email address (so we can locate your records)
• The specific right(s) you wish to exercise
• Any details that will help us identify and respond to your request

We will acknowledge your request within 10 business days and respond substantively within 45 days of receipt, as required by applicable law. If we need additional time (up to an additional 45 days), we will notify you of the extension and the reason.

We may need to verify your identity before fulfilling your request. If we deny your request, we will provide a written explanation and instructions for how to appeal the decision.

Authorized Agents

You may designate an authorized agent to submit a privacy request on your behalf. We may require the agent to provide proof of authorization and may contact you directly to verify the request.

Universal Opt-Out Signals

We respect "Do Not Track" (DNT) and Global Privacy Control (GPC) browser signals as expressions of a visitor's preference to opt out of cross-context behavioral advertising. See Section 12 for further detail and Section 11 for the industry-wide opt-out tools that allow you to control these technologies directly.

Under the Texas Data Privacy and Security Act (TDPSA), Texas residents have the rights described in Section 7 above. Additional disclosures required by Texas law:

• Sale of personal data: We do not sell your personal data as defined under the TDPSA.
• Sale of sensitive data: We do not sell sensitive personal data or biometric personal data.
• Profiling: We do not engage in profiling that produces legal or similarly significant effects on consumers.
• Sensitive data consent: We do not collect sensitive personal data (as defined under TDPSA) through this website. If we ever need to process sensitive data in the course of a client engagement, we will obtain your explicit opt-in consent first.
• Appeal process: If we deny your privacy rights request, you may appeal by emailing daniyal@codeaspen.com with the subject "Privacy Rights Appeal." We will respond to your appeal within 60 days. If your appeal is denied, you may contact the Texas Attorney General to file a complaint.

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with specific rights regarding your personal information.

Categories of personal information collected in the preceding 12 months:

• Identifiers — name, email address, phone number, IP address, advertising click identifiers, advertising-platform browser and click cookies, and internal event identifiers
• Commercial information — records of services requested (contact form submissions including industry, budget, timeline)
• Internet activity — browsing history on our website, information about your interaction with our site, and UTM campaign parameters
• Professional information — company name, job title (if provided)

Sources: Directly from you (contact form), automatically from your device (server logs, analytics, ad-platform pixels), and from referring advertising platforms (click identifiers).

Business purposes for collection: Responding to inquiries, providing services, website operation, security, and advertising measurement / attribution (as described in Sections 3 and 11).

Sale of personal information: We do not sell personal information of California consumers for monetary consideration.

Sharing for cross-context behavioral advertising: We do share personal information with our advertising-measurement platforms for purposes that may constitute "sharing" under the CCPA/CPRA. Specifically, we disclose hashed email address, hashed phone number, hashed name, IP address, user agent, and advertising click identifiers to these platforms to measure advertising effectiveness, attribute conversions, and build remarketing audiences. The categories of personal information shared include identifiers and internet activity information.

Your right to opt out of sharing: California residents may opt out of this sharing by (a) using the platform-level opt-out links listed in Section 11, (b) using browser controls to block or delete the relevant cookies, or (c) emailing us at daniyal@codeaspen.com with the subject line "Do Not Share My Personal Information." We do not knowingly sell or share the personal information of consumers under 16 years of age.

Sensitive personal information: We do not use or disclose sensitive personal information for purposes that would require an opt-out right under Cal. Civ. Code § 1798.121.

California residents may exercise their other rights as described in Section 7. You may also reach us at daniyal@codeaspen.com.

In accordance with the Texas Responsible Artificial Intelligence Governance Act (TRAIGA) and emerging best practices:

• This website provides an AI-assisted conversational interface that may generate responses to your questions in real time. The interface is intended for general informational and lead-intake purposes. It does not make automated decisions producing legal or similarly significant effects regarding you, and is not used for credit, employment, housing, insurance, or eligibility decisions.
• Client engagements may involve the development, deployment, or integration of AI systems. Where AI systems are part of a client engagement, we will disclose the purpose, capabilities, and limitations of those systems in the applicable statement of work or service agreement.
• AI-generated outputs are probabilistic and may contain inaccuracies. Pricing, timelines, and service capabilities discussed via the conversational interface are illustrative and non-binding. Binding commitments are formalized only through a written engagement agreement.
• Personal information collected through this website is not used to train, fine-tune, or improve any machine-learning models. This applies to information you submit through the contact form and to content you share with the AI-assisted conversational interface. Our processors are contractually obligated to the same restriction.

This website uses three categories of cookies and tracking technologies:

A. Essential First-Party Cookies

Required for the basic operation of the site (such as CSRF protection for form submissions and security headers). These cookies cannot be disabled without breaking core functionality.

A2. Conversational Interface Cookies

If you interact with our AI-assisted conversational interface, we set the following first-party cookies:

• Visitor identifier — a randomly generated, non-personally-identifying value that allows us to associate multiple conversations with the same browser. Lifetime: up to 24 months. Not shared with third parties. Cleared automatically when you clear your browser cookies or pursuant to a verified deletion request.
• Conversation identifier — points at your currently active conversation in our database. Configured as HttpOnly and SameSite=Lax. Lifetime: up to 90 days, refreshed on each interaction.

B. Analytics

Our website uses a privacy-focused first-party analytics technology to capture aggregate engagement data. The analytics technology does not set cookies, does not use cross-site identifiers, and does not retain raw IP addresses. It captures aggregate pageview data, referrer URL, country (derived from IP), device type, browser, and anonymous custom events. All analytics traffic is routed through a first-party subdomain.

C. Advertising & Conversion Measurement

Our website uses advertising-measurement technologies — provided by multiple advertising platforms — to measure the effectiveness of advertising campaigns and to attribute leads to the campaigns that produced them. The following categories of cookies and tracking technologies may be set when you visit our site:

• Advertising-platform cookies. Multiple advertising-measurement platforms set first-party cookies for click attribution and event tracking, and may receive PageView and conversion events. Cookie lifetimes vary by platform.
• Server-side conversion forwarding. After you submit our contact form, we may forward hashed contact details (email, phone, name where applicable), IP address, user agent, and advertising click identifiers to one or more advertising platforms via their server-side conversion APIs, for purposes of conversion measurement and audience-building.
• First-party attribution cookies. We set our own first-party cookies to remember the campaign that brought you to the site across page navigations. These cookies expire after up to 90 days and are read only when you submit our contact form. They are deleted when you clear your browser cookies.

D. How to Opt Out

You can control or block the cookies described above using your browser's privacy settings. You may also opt out of personalized advertising at the industry level using either of the following unified opt-out tools, which provide controls across most major advertising platforms:

• Network Advertising Initiative (NAI): optout.networkadvertising.org
• Digital Advertising Alliance (DAA): optout.aboutads.info

To request opt-out from a specific advertising platform we use, or for assistance opting out, contact us at daniyal@codeaspen.com and reference the subject line "Advertising Opt-Out Request." We will action verified requests within a reasonable period.

California residents have additional statutory rights with respect to the sharing described above — see Section 9.

We respect Do Not Track ("DNT") and Global Privacy Control ("GPC") browser signals as expressions of a visitor's preference to opt out of cross-context behavioral advertising. Visitors transmitting these signals are treated as having opted out of such activities to the extent applicable under California, Texas, and similar state privacy laws.

Where a DNT or GPC signal applies, the right to opt out reaches the cross-context behavioral advertising activities described in Section 11 (subsection C). It does not reach our use of essential cookies, our use of privacy-focused first-party analytics, our processing of contact-form submissions, or our processing of conversations with the AI-assisted conversational interface — all of which are necessary to operate the website and respond to your inquiries.

California and Texas residents have additional statutory rights — see Sections 7, 8, and 9.

Our website and services are not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13. If we discover that we have inadvertently collected information from a child under 13, we will promptly delete that information. If you believe a child under 13 has provided us with personal information, please contact us at daniyal@codeaspen.com.

In the event of a data breach that affects your personal information, we will notify affected individuals and applicable regulatory authorities (including the Texas Attorney General) without unreasonable delay and within the timeframes required by applicable law. Under Texas law, notification will be provided no later than 60 days after discovery of the breach.

This website is operated from the United States. If you are visiting from outside the United States, please be aware that your personal information will be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your jurisdiction. By using this website and providing your information, you consent to such transfer, storage, and processing.

Our website may contain links to third-party websites or services that are not operated by us. We have no control over, and assume no responsibility for, the content, privacy policies, or practices of any third-party sites. We encourage you to review the privacy policies of every site you visit.

We comply with the CAN-SPAM Act. Any commercial or marketing emails we send will:

• Identify the message as an advertisement (where applicable)
• Include our valid physical postal address
• Include a clear and conspicuous unsubscribe mechanism
• Honor opt-out requests within 10 business days

Transactional emails related to active service engagements (e.g., project updates, invoices) are not considered commercial email under CAN-SPAM and will continue to be sent as necessary.

We operate an AI-assisted conversational interface on this website that allows you to ask questions about our services, request a proposal, or share project details for a follow-up conversation. This section summarizes how that interface handles your information.

What we collect

• The textual content of messages you send to the interface and responses generated in reply.
• Metadata about each conversation, such as timestamps, message counts, processing latency, and any operational errors.
• A first-party visitor identifier cookie (lifetime: up to 24 months) and a per-conversation identifier cookie (lifetime: up to 90 days, configured as HttpOnly).
• Where you elect to share contact details (such as name, email, phone, company, or project description), those details may be added to a lead record in our database — the same destination as a contact-form submission.

How we use it

• To respond to your inquiries during the conversation.
• To follow up by email or phone after the conversation, where you have shared contact details.
• To monitor for abuse, prompt-injection attempts, and operational errors.
• To improve the reliability of the interface, including review of conversations that produced errors or anomalous outcomes by authorized personnel only.

How it is processed

• Sensitive numeric patterns (such as Social Security Numbers, credit card numbers, dates of birth, and Individual Taxpayer Identification Numbers) are automatically redacted from your messages before they are stored in our database and before they are forwarded to our AI / LLM service provider.
• Other personal information you elect to share is forwarded to our AI / LLM service provider so the interface can respond appropriately.
• Our AI / LLM service provider is contractually obligated not to use customer-API content to train or fine-tune its models. Our service-provider relationships are described in Section 4.
• Our AI / LLM service provider may retain API request data for up to 30 days under its independent trust-and-safety retention schedule.

How long we keep it

• Conversation transcripts are retained for the duration of any resulting business relationship and for a reasonable period thereafter for legal and operational purposes.
• Cookie identifiers are governed by Section 11.A2.
• You may request deletion of your conversation history at any time by contacting the address in Section 20. We will action verified deletion requests within 30 days. Lead records derived from conversational interactions are subject to the same retention and deletion processes as contact-form leads.

What the interface will not do

• The interface does not make legally binding commitments on our behalf. Pricing and timeline information is illustrative; binding commitments are formalized only through a written engagement agreement.
• The interface does not make automated decisions producing legal or similarly significant effects regarding you.
• The interface is not a substitute for professional legal, medical, financial, tax, or other advice.

Your choices

• You may decline to use the conversational interface; the contact form, email, and phone channels remain available.
• You may use the in-interface "Reset" control to start a fresh conversation. Reset does not delete prior conversation records from our database; it only ends rehydration of prior content into the active interface.
• You may clear your browser cookies to remove our visitor and conversation identifiers; doing so will not delete already-stored transcripts.
• You may contact us as described in Section 5 to request deletion of stored transcripts.

We may update this Privacy Policy from time to time. When we do, we will revise the "Last Updated" date at the top of this page. For material changes that significantly affect how we handle your personal information, we will provide additional notice (such as an announcement on our website or direct notification to affected individuals).

We encourage you to review this policy periodically. Your continued use of our website after changes are posted constitutes your acceptance of the updated policy.

If you have questions or concerns about this Privacy Policy, our data practices, or your privacy rights, contact us at: