Information We Collect

Information You Provide Directly

• Contact and inquiry information: Name, email address, job title, organization name, phone number, and the contents of messages you send us via web forms, email, or social platforms.

• Assessment and questionnaire responses: If you purchase or complete one of our paid security assessment products, we collect your questionnaire responses, which may include information about your organization's technology environment, security practices, and compliance posture. This information is treated as confidential and used solely to deliver the assessment service.

• Payment information: When you make a purchase, payment is processed by Stripe. Ariadne Advisory does not store payment card data. We receive transaction confirmation, invoice details, and billing contact information only.

• Correspondence: Emails, meeting notes, and other communications related to inquiries or engagements.

Information Collected Automatically

• Website usage data: If analytics are enabled on ariadneadvisory.co (e.g., via web hosting provider analytics or a third-party service), we may collect page views, approximate geographic location (country/region), referring URLs, browser type, device type, and time-on-site. This data is aggregated and not linked to individual identities.

• Cookies and local storage: See Section 5 below.

Information from Third Parties

• If you connect with us on LinkedIn, we may receive your public professional profile information.

• We do not purchase, rent, or receive marketing lists from data brokers.

02

How We Use Your Information

We do not use your information for automated decision-making that produces legal or similarly significant effects without human review.

03

Sharing & Disclosure

We do not sell, rent, or trade your personal information. We share information only in the following limited circumstances:

• Service providers: We use a small number of technology vendors to operate our business, including Hostinger (website hosting), Google Workspace (email and documents), Stripe (payment processing), and Notion (project and client management). These vendors process data on our behalf under contractual data protection obligations.

• Professional advisors: Attorneys, accountants, and similar advisors engaged by Ariadne Advisory under confidentiality obligations, as necessary.

• Legal requirements: We may disclose information if required to do so by law, court order, regulatory authority, or to protect the rights, property, or safety of Ariadne Advisory, our clients, or others.

• Business transfers: In the unlikely event of a merger, acquisition, or sale of substantially all business assets, client information may be transferred as part of that transaction, subject to equivalent confidentiality protections.

• With your consent: With your explicit permission for any other purpose not described here.

We do not share client engagement data, assessment responses, or confidential organizational information with any third party beyond what is necessary to deliver the services you have contracted.

04

Cookies & Tracking

Ariadne Advisory's website may use the following types of cookies and similar technologies:

• Strictly necessary cookies: Required for the website to function (e.g., session state, form submissions). Cannot be opted out of while using the site.

• Analytics cookies: Aggregate, anonymized data about how visitors use the site. These do not identify you personally. If present, you may opt out through your browser settings or a cookie consent banner if displayed.

• Payment cookies: Stripe may set cookies when processing payments on our site. See Stripe's Privacy Policy.

We do not use advertising, retargeting, or behavioral tracking cookies. You can control cookies through your browser settings. Note that disabling certain cookies may affect site functionality.

05

Data Security

We implement administrative, technical, and physical safeguards consistent with industry practices for a professional services firm, including:

• TLS/HTTPS encryption for data in transit on our website

• Access controls limiting information to those who need it for business purposes

• Use of reputable, security-conscious service providers (Google Workspace, Stripe, Hostinger)

• Secure handling of client documents and assessment data

No method of transmission or storage is 100% secure. While we take reasonable precautions, we cannot guarantee absolute security. In the event of a data breach that poses risk to your rights, we will notify affected parties as required by applicable law.

06

Note on client engagements: For clients whose engagements involve access to their systems, networks, or sensitive data, the data handling practices applicable to that engagement are governed by the terms of our Consulting Services Agreement and any applicable Business Associate Agreement (for HIPAA-covered entities).

Retention

We retain personal information only as long as necessary for the purposes for which it was collected, or as required by applicable law or professional standards:

• Inquiry and contact information: Up to 2 years from last contact, unless an engagement relationship forms.

• Client engagement records and deliverables: 7 years from engagement close, consistent with standard business record-keeping and professional liability considerations.

• Payment records: 7 years, as required for tax and accounting purposes.

• Assessment questionnaire data: Duration of engagement plus up to 2 years, then securely deleted or anonymized unless longer retention is required by contract.

• Website analytics: Aggregated data may be retained indefinitely; raw session data (if any) no longer than 26 months.

When retention periods expire, information is securely deleted or anonymized.

07

Your Rights

Depending on your location and applicable law, you may have the following rights regarding your personal information:

• Access: Request a copy of personal information we hold about you.

• Correction: Request correction of inaccurate or incomplete information.

• Deletion: Request deletion of your personal information, subject to our legal and contractual obligations to retain certain records.

• Restriction: Request that we restrict processing of your information in certain circumstances.

• Portability: Request a machine-readable copy of information you provided to us.

• Opt-out of marketing: Opt out of any non-transactional communications at any time by replying to an email with "unsubscribe" or by contacting us directly.

Washington State residents may have additional rights under the Washington My Health MY Data Act (WMHMDA) and related legislation, where applicable.

California residents may have rights under the California Consumer Privacy Act (CCPA/CPRA). As a small business, certain CCPA thresholds may apply. We do not sell personal information, which is the primary concern of the CCPA framework.

EEA/UK residents: If you are located in the European Economic Area or United Kingdom, you may have additional rights under the GDPR or UK GDPR. Please contact us to discuss your specific situation.

To exercise any of these rights, contact us at the information in Section 12. We will respond within 30 days. We may need to verify your identity before processing your request.

08

Client Engagement Data

When we perform consulting services, we may receive access to our clients' systems, data, and information about their employees, customers, or third parties. In that context:

• Ariadne Advisory acts as a data processor with respect to personal data belonging to your organization's employees, customers, or others that we access solely to perform Services.

• We process such data only as directed by the client and as necessary to perform the contracted services.

• For clients subject to HIPAA who engage us for covered services, we enter into a Business Associate Agreement (BAA). If you are a covered entity or business associate and need a BAA, please request one before or at the start of your engagement.

• We do not use data from one client's engagement for the benefit of any other client.

09

Children

Our website and services are directed exclusively at business and professional audiences. We do not knowingly collect personal information from individuals under the age of 18. If you believe a minor has submitted personal information to us, please contact us immediately and we will delete it.

10

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or applicable law. When we make material changes, we will update the "Last Updated" date at the top of this page. For significant changes affecting how we handle client data, we will provide direct notice by email where feasible.

Continued use of our website or services after a policy update constitutes acceptance of the revised policy. We encourage you to review this page periodically.

11

Contact Us

For privacy inquiries, data requests, or questions about this policy, reach out through our contact page:

12

We aim to respond to all privacy-related requests within 30 days.

Ariadne Advisory

(C) 2026 Ariadne Advisory-Independent practice.

Discover. Assess. GUIDE.

Threading businesses through the Information Security & Compliance maze — without the enterprise budget.

Privacy Policy