Privacy policy

Effective: 2026-05-04. Last updated: 2026-05-05.

Who we are

CrestVisor ("CrestVisor", "we", "us") operates the website at crestvisor.com and provides digital marketing, website design, marketing automation, and custom-software services to small-to-medium businesses. CrestVisor is an online-only operation; we do not currently maintain a public physical office. The best way to reach us is by email at hello@crestviralmarketing.com.

For purposes of GDPR, CrestVisor is the data controller for personal information collected through this website. For CCPA/CPRA, we are a "business" as defined under California law.

Information we collect

Information you provide directly

When you submit a form on this site, we receive whatever you put in it. Specifically:

• Contact form (/contact/) — name, email address, phone number (optional), website URL (optional), message.
• Website SEO Audit (/website-seo-audit/) and Website ADA Audit (/services/website-ada-audit/) — name, email address, and the website URL you want audited.
• Free business process audit (/services/process-optimization-audit/) — name, email, business name, and any details you share during the discovery call.
• Bookings (via our scheduling provider, currently Calendly) — whatever the calendar widget collects, typically name, email, and any answers to scheduling questions you choose to provide.

You do not need to create an account to use this website. We do not request payment information through this site; if we contract with you, billing is handled through a separate process documented in your engagement agreement.

Information collected automatically

When you visit this site, our hosting infrastructure logs technical information automatically:

• Server / CDN access logs — IP address, user agent, the URL you requested, the referring URL, timestamp, response status. These are produced by Amazon CloudFront and S3 access logging and retained for up to 90 days for security and operations purposes.
• Analytics cookies — we use Google Analytics 4 to understand traffic patterns (which pages people read, where visitors come from, broad device/region breakdowns). On your first visit, a banner asks you to Accept or Decline these cookies. Only if you accept does GA4 set first-party cookies (_ga and _ga_GNGMVBRBL0, persisting up to 2 years). If you decline, GA4 sends only aggregate, cookieless "consent-mode" measurement pings — no identifiers, no profile. IP addresses are truncated by Google before logging; we do not enable Google signals, advertising features, or cross-site identity-stitching. See our cookie policy for the full cookie list.
• Other cookies — embedded third-party widgets (e.g., the Calendly booking widget) may set strictly-necessary cookies for their own functionality.

We do not run advertising pixels (Meta Pixel, TikTok Pixel, Google Ads remarketing, etc.) on this site, and we do not use cross-context behavioral advertising or sell personal data.

Information from audits we run for you

If you submit a URL through our free website audit, we run automated scans against that URL on your behalf. This produces technical data about your site (Lighthouse scores, SSL certificate metadata, on-page SEO metrics, schema validation results). We send some of this to third-party APIs (see "How we share information") to perform the analysis.

Legal basis for processing (EU / UK / Switzerland)

If you are in the European Economic Area, the United Kingdom, or Switzerland, we process your personal information on the following legal bases:

• Performance of a contract — to provide a service or audit you requested.
• Legitimate interests — to operate our business, secure our infrastructure, prevent fraud and abuse, and respond to your inquiries.
• Consent — for any optional communications (e.g., follow-up emails) that you opt in to. You can withdraw consent at any time.
• Legal obligations — when we must retain or disclose information to comply with applicable law.

How we use information

We use the information we collect to:

• Reply to your inquiries and deliver the service or audit you requested.
• Send the audit report or service-related communications you signed up for.
• Operate, maintain, and improve our website and services.
• Detect, prevent, and respond to fraud, abuse, or security incidents.
• Comply with legal obligations and enforce our terms of service.

We do not use your information for cross-context behavioral advertising, retargeting, or profiling for advertising purposes.

How we share information

We do not sell your personal information. We share it only with the parties listed below, only to the extent necessary to operate our business:

Service providers (sub-processors)

• Amazon Web Services (AWS) — website hosting (S3, CloudFront), DNS (Route 53), and serverless infrastructure (Lambda) for our free website audit and contact form. Data is processed primarily in us-east-1 (United States). AWS privacy notice.
• Google Workspace (Gmail SMTP) — used to deliver Website SEO Audit and Website ADA Audit reports and contact-form replies from hello@crestviralmarketing.com. Google privacy policy.
• Google Analytics 4 — first-party site analytics (page views, traffic sources, broad device/region breakdowns). Receives a per-visit pseudonymous identifier and the URLs you visit on this site. We have not enabled Google signals, demographics, ads-account linking, or cross-site identity-stitching. Google privacy policy.
• Calendly — scheduling provider for our 30-minute strategy calls. Receives whatever you provide on the booking form (typically name, email, scheduling questions). Calendly privacy policy.
• Google PageSpeed Insights API — used by our free website audit to fetch Lighthouse scores for the URL you submit. We send the URL only; we do not transmit your contact details to Google.
• Google Safe Browsing API — used by our free website audit to check whether the URL you submit appears in Google's malware/phishing blocklist. We send the URL only.

Each provider above is contractually bound to use information only for the purposes we direct and to maintain reasonable security safeguards.

Legal and protective disclosures

We may disclose information when we believe in good faith that disclosure is necessary to (a) comply with applicable law, court order, or other legal process; (b) protect our rights, property, or safety, or that of our users or the public; or (c) detect, prevent, or address fraud, security, or technical issues.

Business transfers

If CrestVisor is involved in a merger, acquisition, sale of assets, or insolvency, your information may be transferred as part of that transaction. We will provide notice (e.g., on this page) before your information becomes subject to a different privacy policy.

What we do not do

• We do not sell or rent your personal information.
• We do not share your information with advertising networks or data brokers.
• We do not engage in cross-context behavioral advertising.

International data transfers

CrestVisor is based in the United States, and our service providers (notably AWS, Google, and Calendly) process data primarily in the United States. If you access this website from outside the United States, your information will be transferred to, stored in, and processed in the United States.

Where we transfer personal information of EEA, UK, or Swiss data subjects to the United States, we rely on appropriate transfer mechanisms, including the EU–U.S. Data Privacy Framework (where the recipient is certified) and the Standard Contractual Clauses approved by the European Commission, supplemented by additional safeguards as required.

How long we keep information

We retain personal information only as long as we need it for the purposes described in this policy:

• Form submissions and CRM records — kept for up to 36 months from the last interaction, or longer if required to perform a contract with you. You can request deletion sooner (see "Your rights").
• Audit reports — kept for up to 12 months in case you ask for a re-send.
• Server / CDN access logs — up to 90 days, then deleted via the bucket lifecycle policy.
• Records we must keep for legal or accounting reasons — for the period required by law (typically 7 years for tax records).

How we protect your information

We use reasonable technical and organizational measures to protect personal information, including: TLS 1.2+ encryption in transit (all pages served over HTTPS via ACM-issued certificates); AES-256 server-side encryption at rest in S3; access controls scoped via AWS IAM and least-privilege policies; and access logging on infrastructure. No method of transmission or storage is 100% secure, and we cannot guarantee absolute security.

If we become aware of a personal-data breach affecting your information, we will notify you and, where applicable, the relevant supervisory authority within the time required by law (72 hours under GDPR).

Your privacy rights

Everyone

Regardless of where you live, you can:

• Ask us what information we have about you.
• Ask us to correct inaccurate information.
• Ask us to delete your information (subject to legal exceptions, e.g., records we must keep for tax purposes).
• Unsubscribe from optional communications at any time using the link in the email or by contacting us directly.

EU / UK / Swiss data subjects (GDPR, UK GDPR)

If you are in the EEA, UK, or Switzerland, you have the following rights with respect to your personal information:

• Right of access — to receive confirmation of whether we process your data and a copy of it.
• Right to rectification — to correct inaccurate or incomplete information.
• Right to erasure ("right to be forgotten") — to have your information deleted in certain circumstances.
• Right to restrict processing — to limit how we use your information in certain circumstances.
• Right to data portability — to receive your information in a structured, machine-readable format.
• Right to object — to processing based on legitimate interests.
• Right to withdraw consent — at any time, where processing is based on consent.
• Right to lodge a complaint with your local data protection authority (a list is published by the European Data Protection Board).

California residents (CCPA / CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:

• Right to know — what categories and specific pieces of personal information we collect, the sources, the purposes, and the categories of third parties we share it with.
• Right to delete — your personal information, subject to legal exceptions.
• Right to correct — inaccurate personal information.
• Right to opt out of sale or sharing — we do not sell or share personal information for cross-context behavioral advertising, so there is nothing for you to opt out of, but you have this right.
• Right to limit use of sensitive personal information — we do not collect sensitive personal information as defined under CPRA.
• Right to non-discrimination — we will not discriminate against you for exercising any of these rights.

Categories of personal information we collect (as defined under CCPA / CPRA), within the previous 12 months:

• Identifiers — name, email address, phone number, IP address.
• Internet or other electronic network activity information — browsing data, request logs.
• Inferences — none. We do not generate consumer profiles.

We have not "sold" personal information as defined under CCPA / CPRA in the previous 12 months and have no plans to do so.

To exercise any of these rights, email hello@crestviralmarketing.com. We will verify your identity (typically by confirming control of the email address on file) before responding. We respond within 45 days; we may extend by another 45 days if reasonably necessary, and will notify you if so.

Other US states

Residents of Virginia, Colorado, Connecticut, Utah, and other states with comprehensive privacy laws may have similar rights to access, correct, delete, or opt out of certain processing. Use the same email address above to exercise those rights; we will honor any rights granted to you under applicable state law.

Children's privacy

This website is not directed to children under 13 (or under 16 in the EEA / UK), and we do not knowingly collect personal information from them. If you believe we have collected information from a child, contact us and we will delete it.

Cookies and tracking

See our cookie policy for the current list of cookies and similar technologies. We do not use Google Analytics, Meta Pixel, or any cross-site tracking pixels on this website.

Do Not Track and Global Privacy Control

This website does not engage in tracking that would be regulated by the "Do Not Track" browser signal, so the signal has no impact on your experience. We honor the Global Privacy Control (GPC) signal as an opt-out of any sale or sharing — though, as noted above, we do not sell or share personal information regardless.

Changes to this policy

We may update this privacy policy from time to time. When we do, we will revise the "Last updated" date at the top and, for material changes, we will notify you (e.g., by posting a prominent notice on the site or by email). We encourage you to review this page periodically.

Contact us

For privacy questions, requests to exercise your rights, or any other privacy-related concern:

• Email: hello@crestviralmarketing.com (subject line: "Privacy request")

CrestVisor is an online-only business; we do not currently publish a postal mailing address. We will update this section when one is established.

We aim to respond to all privacy inquiries within 30 days, and within 45 days for CCPA / CPRA requests as required by law.