WeActive8 LLC (“WeActive8”, “we”, “us”) is the data controller for personal information collected through weactive8.com, the 8CRM application at crm.weactive8.com, and direct communication with our team. This policy describes what we collect, how we use it, who we share it with, and your rights.

1. What we collect

When you contact us, sign up for the CRM, or otherwise interact:

• Contact details: name, email, phone number, company.
• Billing details: processed by Stripe, we never see full card numbers; we receive a token, last 4, brand, and country.
• Engagement content: anything you voluntarily share (forms, emails, messages, files attached to a brief).
• Technical telemetry: IP address, user agent, referrer, pages visited, basic device info via standard analytics.
• SMS opt-in metadata: the explicit opt-in source (form / verbal / CRM checkbox), timestamp, and consent text shown.

2. How we use it

• Deliver the service you requested (audit, project, retainer, subscription).
• Answer support questions and route messages internally.
• Send transactional notifications (account, billing, appointment, support).
• Send infrequent marketing emails or SMS only if you opted in. Opt out at any time.
• Detect abuse and meet legal obligations (tax, anti-fraud, lawful subpoena).

3. SMS messaging & phone numbers

WeActive8 does not share, sell, rent, or otherwise disclose mobile information (phone numbers, SMS opt-in data, or message content) to third parties or affiliates for marketing or promotional purposes. Phone numbers and SMS opt-in data are used solely for communications between you and WeActive8.

You opt in to SMS messaging from WeActive8 by:

• Submitting our contact form at weactive8.com/contact with the explicit consent checkbox ticked, or
• Signing up to the WeActive8 CRM at crm.weactive8.com with the SMS-consent checkbox ticked, or
• Providing explicit verbal consent during an onboarding call, recorded in our CRM.

Message types include: appointment reminders, support ticket updates, account/billing notifications, login verification codes, and infrequent promotional offers. Message frequency varies (typically 1 to 4 per month). Message & data rates may apply.

To opt out: reply STOP, UNSUBSCRIBE, CANCEL, END, or QUIT to any SMS from us. You will receive a one-time confirmation and no further messages until you opt back in. For help: reply HELP or email hello@weactive8.com.

4. Data sharing

We share data only with vendors necessary to operate our services. These vendors are contractually bound (Data Processing Agreements in place where required) to use the data only to provide their service to us:

• Stripe — payment processing (PCI DSS Level 1).
• Telnyx — SMS and voice carrier delivery.
• Twilio — secondary SMS / voice carrier.
• Hetzner — primary hosting infrastructure (Germany).
• Cloudflare — DNS, CDN, DDoS protection.
• Resend / Amazon SES — transactional and marketing email delivery.
• Google Workspace — internal email + calendar.
• Anthropic / OpenAI — LLM features inside 8CRM where you have opted in (per-tenant setting).

We never sell or rent personal data to advertisers, data brokers, lead resellers, or other third parties.

5. Retention & security

We retain personal data for as long as necessary to provide services and meet legal obligations (typically 7 years for billing records, indefinitely for opt-in/opt-out consent records to defend against TCPA claims, 90 days for raw access logs, 30 days for IP-only telemetry after anonymization).

Production data is encrypted at rest (LUKS + at-application layer for sensitive fields) and in transit (TLS 1.2+). Access is role-gated and logged. We run weekly off-site backups to Hetzner Storage Box.

6. Cookies & tracking

We split cookies into five categories. The first is strictly required; the rest you control via the Cookie settings link (bottom-left on every page).

Strictly necessary

Session cookies, CSRF token, the consent-preference cookie (wa8-consent, 13-month max). Cannot be disabled because the site won't function without them.

Functional

Remembers UI preferences (saved view layouts in 8CRM, language selection, recently-viewed pages). First-party only. Off by default in EU/UK and US-opt-out states; on by default in US notice-only states.

Analytics

Google Analytics 4 + Google Tag Manager. Anonymized IP, no cross-site tracking pixels. We use it to understand which pages work and which don't. 14-month retention on raw events.

Marketing

Meta Pixel, LinkedIn Insight Tag, Google Ads conversion tracking. Used to measure ROI on paid-channel experiments. We don't run heavy retargeting. Off by default everywhere; explicit opt-in required.

Sale & sharing (US opt-out)

Under CCPA / CPRA and similar US state laws, sharing browsing data with ad platforms (even without money changing hands) can constitute a “sale.” You can opt out of this category specifically in the Cookie settings panel without affecting analytics or functional cookies.

7. Consent management

We detect your location server-side from IP-geo headers and adapt the consent banner to the legal regime that applies. Three modes:

• EU / UK / EEA / Switzerland / Quebec / Brazil: explicit opt-in. Nothing beyond strictly-necessary runs until you click Accept all or Customize. Reject all is equally prominent (GDPR Art. 7(3)).
• US opt-out states (CA, VA, CO, CT, UT, TX, OR, IA, IN, MT, TN, DE, NJ, NH, MD, MN, RI, KY): banner shows Accept all / Reject all / Customize at first visit. Honors the Global Privacy Control browser signal as an automatic opt-out (per CO CPA rules and FTC interpretation of CCPA).
• Everywhere else (rest of the US, rest of the world without specific opt-in laws): notice-only banner. Cookies are enabled by default but a persistent Cookie settings link in the bottom-left lets you revoke any category at any time.

Your choice is stored in a first-party cookie and localStorage for 13 months. Re-prompt happens after expiry or if you cross into a stricter regime. All of this is Google Consent Mode v2 compatible, so every GTM tag respects your choice without per-page wiring.

8. Your rights

You may request access, correction, export, or deletion of your personal data at any time by emailing hello@weactive8.com. We respond within 30 days. California, EU, and UK residents have additional statutory rights, see the GDPR & CCPA page for the long form.

9. Children's data

Our services are not directed to children under 13 (or 16 in EU/UK). We do not knowingly collect data from children. If you believe we have, email us and we will delete it.

10. International transfers

Our primary infrastructure is in Germany (Hetzner). Data may transfer to the US (Stripe, Cloudflare, Telnyx, Resend, Google). We rely on Standard Contractual Clauses (SCCs) for EU/UK→US transfers and require vendor DPAs.

11. Changes

We may update this policy. Material changes will be announced on the site and emailed to active customers at least 30 days before the effective date.

Contact: WeActive8 LLC, 30 N Gould St, Sheridan, WY 82801, USA. Email hello@weactive8.com.