Privacy Policy

Effective Date: 01/01/2021
Last Updated: 11/1/2025

Introduction

Steelhead Software ("we," "us," or "our") is committed to protecting the privacy and security of personal information we collect through our website and services. This Privacy Policy explains how we collect, use, disclose, and safeguard information from business contacts, prospects, and visitors to our website.

We help organizations modernize legacy systems, serving clients in manufacturing (particularly food and agriculture), logistics and warehousing, and financial services across Washington, Oregon, Idaho, and California. This policy applies to all personal information we collect in connection with our business operations.

Important Note for Business Contacts: If you are providing information in your capacity as an employee, contractor, or representative of an organization, your privacy rights under applicable laws (including California's CCPA/CPRA) apply regardless of your business role. Your organization may be the data controller for employment-related data, while we act as data controller for information you provide directly to us for business purposes.

Information We Collect

Information You Provide Directly

We collect information when you:

  • Complete contact forms on our website
  • Request information about our services
  • Schedule consultations or system assessments
  • Subscribe to our newsletter or marketing communications
  • Communicate with us via email, phone, or other channels
  • Attend webinars, events, or demonstrations

This information may include:

  • Contact Information: Name, email address, phone number, job title, company name, business address
  • Professional Information: Industry, company size, information about your legacy systems and business challenges
  • Communication Preferences: Marketing preferences, communication channel preferences
  • Inquiry Details: Information about your business needs, challenges with legacy systems, and service interests
Information Collected Automatically

When you visit our website, we automatically collect certain information through cookies and similar technologies:

  • Device Information: IP address, browser type, operating system, device identifiers
  • Usage Information: Pages visited, time spent on pages, links clicked, referring websites
  • Analytics Data: Website performance metrics, user behavior patterns, conversion data

We use cookies for website functionality, analytics, and marketing purposes. You can control cookies through your browser settings and our cookie preference center. See our "Cookies and Tracking Technologies" section below for details.

Information from Third-Party Sources

We may receive information about you from:

  • Business Partners: When you attend joint events or webinars
  • Public Sources: Business contact information from company websites, LinkedIn, and industry directories
  • Data Enhancement Services: Business intelligence services that help us better understand your company's needs

How We Use Your Information

We process your personal information based on the following legal grounds:

Legitimate Business Interests – We process business contact information to pursue our legitimate interests in:

  • Responding to inquiries about our legacy software modernization services
  • Maintaining business relationships with prospects and clients
  • Improving our services and website functionality
  • Analyzing market trends and business opportunities

Consent – We obtain your consent for:

  • Sending marketing communications and newsletters
  • Using non-essential cookies for analytics and marketing
  • Sharing information with third parties for purposes beyond service delivery

Contractual Necessity – We process information necessary to:

  • Provide requested services and consultations
  • Manage client relationships and service delivery
  • Fulfill our contractual obligations

Legal Compliance – We process information as required to:

  • Comply with applicable laws and regulations
  • Respond to legal requests and prevent fraud
  • Protect our legal rights and interests

Specific Uses

We use collected information to:

  • Respond to Inquiries: Answer questions about our services and provide requested information
  • Provide Services: Deliver legacy software modernization consultations, assessments, and services
  • Marketing Communications: Send information about our services, industry insights, and relevant content with your consent
  • Business Operations: Analyze website usage, improve our services, and optimize user experience
  • Security: Protect against fraud, unauthorized access, and security threats
  • Legal Obligations: Comply with applicable laws, regulations, and legal processes

How We Share Your Information

We share your information only in the following circumstances:

Service Providers and Processors

We engage trusted third-party service providers who process information on our behalf under written agreements that ensure appropriate data protection. These include:

Zoho Corporation – We use Zoho Forms for contact collection, Zoho Campaigns for email marketing, and Zoho CRM for customer relationship management. Zoho Corporation acts as our data processor and processes your personal information pursuant to a data processing agreement that ensures GDPR-compliant data handling. Zoho is ISO 27001 certified, SOC 2 Type II compliant, and ISO 27701 certified for Privacy Information Management. Data is processed in Zoho's US data center. International data transfers are protected by Standard Contractual Clauses approved by the European Commission.

Other Service Providers may include:

  • Website hosting and infrastructure providers
  • Email delivery services
  • Analytics and website optimization tools
  • IT support and security services

All service providers are contractually required to:

  • Process data only for specified purposes
  • Implement appropriate security measures
  • Maintain confidentiality
  • Comply with applicable privacy laws
  • Notify us of any inability to meet data protection obligations
  • Cooperate with data subject rights requests
Business Transfers

If we are involved in a merger, acquisition, sale of assets, or bankruptcy, your information may be transferred as part of that transaction. We will notify you of any such change and the choices you have regarding your information.

Legal Requirements

We may disclose information when required by law or in response to:

  • Valid legal process (subpoenas, court orders)
  • Government or regulatory requests
  • Protection of our legal rights and property
  • Prevention of fraud or security threats
  • Protection of safety of individuals
With Your Consent

We may share information with third parties when you provide explicit consent for specific purposes not covered above.

Cookies and Tracking Technologies

We use cookies and similar tracking technologies to enhance website functionality, analyze usage, and deliver relevant marketing.

Types of Cookies We Use

Strictly Necessary Cookies – Essential for website functionality, including:

  • Session cookies for navigation and form submission
  • Authentication cookies for secure access
  • Security cookies for fraud prevention

These cookies do not require consent as they are essential for services you explicitly request.

Analytics Cookies – Help us understand website usage and improve performance:

  • Website traffic analysis
  • User behavior tracking
  • Performance monitoring

Marketing Cookies – Enable targeted advertising and personalized content:

  • Cross-site tracking for behavioral advertising
  • Retargeting and remarketing
  • Social media integration

Cookie Consent and Management

For California residents and others in states with opt-out rights, we provide clear mechanisms to opt out of non-essential cookies through our cookie preference center accessible via the footer of our website.

Your Cookie Choices:

  • Accept All: Allow all cookies including analytics and marketing
  • Reject All: Block all non-essential cookies (strictly necessary cookies remain active)
  • Customize: Select specific cookie categories to accept or reject
  • Update Preferences: Change your cookie preferences at any time via our cookie preference center

We honor Global Privacy Control (GPC) browser signals as a universal opt-out preference for California, Colorado, Connecticut, Texas, Montana, Nebraska, and New Hampshire residents.

Browser Controls: You can also control cookies through your browser settings:

  • Chrome: Settings > Privacy and Security > Cookies
  • Firefox: Options > Privacy & Security > Cookies and Site Data
  • Safari: Preferences > Privacy > Cookies and Website Data
  • Edge: Settings > Privacy, Search, and Services > Cookies

Note that blocking certain cookies may impact website functionality.

Data Retention

We retain personal information only as long as necessary for the purposes disclosed in this policy, unless a longer retention period is required or permitted by law.

Retention Periods
  • Active Business Contacts: Duration of business relationship plus 3-7 years for legal, tax, and business purposes
  • Inactive Leads and Prospects: 3 years from last interaction, after which data is deleted unless you re-engage
  • Marketing Consent Records: 7 years to demonstrate compliance with privacy laws
  • Email Marketing Data: 3 years from last campaign interaction
  • Contact Form Submissions: 3 years for general inquiries; 7 years for demo requests and sales inquiries
  • Website Analytics: 12-24 months for individual user data; longer retention for aggregated, anonymized data
  • Cookie Data: Duration disclosed in our cookie policy, typically 12-24 months

Data is automatically deleted or anonymized when retention periods expire unless longer retention is required by law or necessary to establish, exercise, or defend legal claims.

Data Security

We implement comprehensive security measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction.

Security Safeguards

Administrative Safeguards:

  • Access controls limiting data access to authorized personnel only
  • Regular security training for all employees handling personal data
  • Documented security policies and procedures
  • Background checks for employees with data access
  • Confidentiality agreements with all personnel

Technical Safeguards:

  • Encryption of data in transit using TLS 1.2 or higher protocols
  • Encryption of sensitive data at rest using industry-standard encryption
  • Firewalls and intrusion detection systems
  • Regular security monitoring and vulnerability scanning
  • Multi-factor authentication for system access
  • Secure backup and disaster recovery procedures

Physical Safeguards:

  • Our data is hosted in Zoho data centers that maintain SOC 2 Type II certified physical security controls
  • Restricted access to facilities and equipment
  • Environmental controls to protect infrastructure

Vendor Security Requirements: We require all service providers and vendors to:

  • Maintain appropriate security measures
  • Undergo security assessments before engagement
  • Provide security certifications (ISO 27001, SOC 2 Type II)
  • Notify us promptly of any security incidents
  • Submit to periodic security audits

Security Certifications

Our service providers, including Zoho Corporation, maintain:

  • ISO 27001 certification for information security management
  • SOC 2 Type II compliance demonstrating security, availability, and confidentiality controls
  • ISO 27701 certification for privacy information management
  • Regular third-party security audits

Incident Response

While we implement industry-standard security measures, no method of transmission over the internet is 100% secure. In the event of a data breach affecting your personal information, we will:

  • Investigate and assess the breach promptly
  • Notify affected individuals within 72 hours or as required by applicable law
  • Provide details about the nature of breach, data affected, and recommended actions
  • Notify relevant supervisory authorities as required by law

Your Security Responsibilities: We encourage you to protect your information by:

  • Using strong, unique passwords
  • Keeping login credentials confidential
  • Logging out after using our services
  • Keeping your devices and software updated
  • Reporting suspicious activity immediately

Your Privacy Rights

Your privacy rights vary depending on your location. We respect and facilitate all applicable rights under state and federal privacy laws.

Rights for All Users

Regardless of location, you have the right to:

  • Access – Request information about what personal data we hold about you
  • Correction – Request correction of inaccurate or incomplete information
  • Deletion – Request deletion of your personal information, subject to legal exceptions
  • Opt-Out – Unsubscribe from marketing communications at any time

Additional Rights for California Residents

Under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), California residents have additional rights:

Right to Know: Request disclosure of personal information collected in the past 12 months, including:

  • Categories and specific pieces of personal information collected
  • Categories of sources from which information was collected
  • Business purposes for collection and use
  • Categories of third parties with whom information is shared
  • Categories of personal information sold or shared, if applicable

Right to Delete: Request deletion of personal information we collected from you, subject to certain exceptions

Right to Correct: Request correction of inaccurate personal information

Right to Opt-Out: Opt out of the sale or sharing of your personal information for cross-context behavioral advertising

Right to Limit Use: Limit the use and disclosure of sensitive personal information (if applicable)

Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights by:

  • Denying goods or services
  • Charging different prices or rates
  • Providing different quality of goods or services
  • Suggesting you will receive different prices or quality

Right to Data Portability: Receive your personal information in a portable, readily usable format

Rights for Washington Residents

Under Washington's My Health My Data Act (if applicable to health data we collect):

  • Right to confirm whether consumer health data is being collected, shared, or sold
  • Right to access consumer health data
  • Right to obtain a list of third parties who received health data
  • Right to withdraw consent to collection and sharing
  • Right to have consumer health data deleted

Rights for Oregon Residents

Under the Oregon Consumer Privacy Act (if applicable):

  • Right to confirm whether we process your personal data
  • Right to access your personal data
  • Right to obtain portable copies in readily usable format
  • Right to correct inaccuracies in your personal data
  • Right to delete your personal data
  • Right to opt out of processing for targeted advertising, sale, or profiling

Appeal Process for Oregon Residents: If we deny your request, you may appeal by contacting us using the methods below. We will respond within 45 days. If your appeal is denied, you may contact the Oregon Attorney General to submit a complaint.

How to Exercise Your Rights

To exercise any of these rights, please contact us using the methods provided in the "Contact Us" section below. You may submit requests via:

  • Email: privacy@steelheadsoftware.com
  • Phone: [Insert toll-free number]
  • Mail: [Insert mailing address]
  • Online Form: [Insert link to privacy request form]

Verification Process: To protect your privacy, we will verify your identity before fulfilling requests. Verification requirements are proportionate to the sensitivity of information requested and the risk of unauthorized access. For deletion requests, we use a two-step verification process requiring confirmation.

Response Timeframes:

  • We will confirm receipt of your request within 10 business days
  • We will respond substantively within 45 calendar days
  • If additional time is needed, we may extend by 45 days with notification (maximum 90 days total)
  • Opt-out requests will be processed within 15 business days

Request Limitations: You may submit up to two free access requests per 12-month period. We may deny requests that are excessive, repetitive, manifestly unfounded, or would require disproportionate effort.

Do Not Sell or Share My Personal Information

California residents can opt out of the sale or sharing of personal information. While we do not sell personal information in the traditional sense, certain data sharing for analytics and marketing purposes may be considered a "sale" or "share" under California law.

To opt out:

  • Enable Global Privacy Control (GPC) in your browser
  • Contact us directly using the methods in the "Contact Us" section

Children's Privacy

Our website and services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child, please contact us immediately so we can delete the information.

International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence, including the United States. These countries may have data protection laws that differ from the laws of your country.

When we transfer personal information internationally, we implement appropriate safeguards including:

  • Standard Contractual Clauses approved by the European Commission
  • Data Processing Agreements with all international service providers
  • Ensuring adequate security measures are in place

Our primary service provider, Zoho Corporation, processes data in US data centers and uses Standard Contractual Clauses for international data transfers.

Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, services, legal requirements, or for other operational, legal, or regulatory reasons.

Notice of Changes:

  • We will post the updated policy on this page with a new "Last Updated" date
  • Material changes will be communicated via email to contacts in our database
  • Continued use of our website and services after changes constitutes acceptance of the updated policy

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

Steelhead Software
hello@steelheadsoftware.io

Privacy Inquiries:
 Email: hello@steelheadsoftware.com

Data Subject Rights Requests:
 Email: hello@steelheadsoftware.com
Online Form: Contact us

General Inquiries:
 Email: hello@steelheadsoftware.com
Website: steelheadsoftware.io

We will respond to all inquiries within a reasonable timeframe, typically within 10 business days for general questions and within the timeframes specified above for data subject rights requests.

State-Specific Disclosures

California Residents

Categories of Personal Information Collected (CCPA/CPRA):

  • Identifiers (name, email, phone, business address, IP address)
  • Professional or employment-related information (job title, company, industry)
  • Commercial information (products/services interest, inquiry details)
  • Internet or network activity (browsing behavior, website interactions)

Business Purposes for Collection:

  • Providing requested services and responding to inquiries
  • Managing business relationships
  • Marketing communications (with consent)
  • Website functionality and analytics
  • Security and fraud prevention
  • Legal compliance

Categories of Third Parties Receiving Information:

  • Service providers and data processors (Zoho Corporation, hosting providers, analytics services)
  • Professional advisors (legal, accounting, consulting)
  • Government authorities and legal entities (when required by law)

Data Retention: See the "Data Retention" section above for specific retention periods by data type.

Sensitive Personal Information: We do not intentionally collect sensitive personal information as defined by CCPA/CPRA (Social Security numbers, precise geolocation, health information, etc.) through our website or standard business operations.

Sales and Sharing: We do not sell personal information in exchange for monetary compensation. Certain sharing for marketing analytics may qualify as "sharing" under California law, from which you can opt out using the methods described in the "Your Privacy Rights" section.

Washington Residents

If we collect consumer health data as defined by the Washington My Health My Data Act, separate disclosures and consent processes will apply. Our standard business operations for legacy software modernization services do not typically involve collection of consumer health data.

Oregon Residents

Oregon residents have rights under the Oregon Consumer Privacy Act as described in the "Your Privacy Rights" section. Our processing of business contact information in commercial contexts is generally exempt from OCPA requirements, but consumer-facing activities (if any) comply fully with OCPA.

Idaho Residents

While Idaho does not currently have a comprehensive state privacy law, we extend the same privacy protections and rights to Idaho residents as those provided to residents of states with privacy laws.

Acknowledgment: By using our website and services, you acknowledge that you have read and understood this Privacy Policy and agree to its terms.

Transform your technology.
Tell us about your idea