Privacy Policy — Whitethorn Games, Inc.

1. Introduction

Whitethorn Games, Inc. ("Company," "we," "our," or "us"), located at 11 E 12TH ST, ERIE, PA 16501-1905, United States, is committed to protecting the privacy and security of your personal information. This Privacy Policy describes how we collect, use, disclose, retain, and safeguard information obtained through our website, software development services, consulting engagements, and any associated digital platforms (collectively, the "Services").

By accessing our website at whitethorngamesinc.com or engaging our Services, you acknowledge that you have read, understood, and agree to the terms of this Privacy Policy. If you do not agree with this policy, please discontinue use of our Services immediately.

This Privacy Policy applies to all visitors, clients, prospective clients, business partners, and any individual who interacts with Whitethorn Games, Inc. through any channel, including our website, email, phone, or third-party platforms.

2. Information We Collect

We collect information in the following categories:

2.1 Personal Identification Information

When you contact us, submit a project inquiry, sign a service agreement, or create an account on our client portal, we may collect:

Full legal name and preferred name
Business email address and personal email address
Phone number (mobile and/or office)
Job title and professional role
Company name, size, and industry
Business mailing address and physical location
LinkedIn profile URL or other professional social media handles

2.2 Financial and Billing Information

For invoicing, payment processing, and contract management, we collect:

Billing name and address
Payment method details (processed securely through PCI-DSS compliant third-party processors)
Bank account information for ACH transfers (stored encrypted)
Tax identification numbers (EIN/SSN) for applicable contract arrangements
Invoice history and payment records

We do not store raw credit card numbers on our servers. All payment card data is tokenized and processed by our payment processor partners (Stripe, Inc. and/or Braintree, a PayPal service).

2.3 Technical and Usage Data

When you visit our website or use our client portal, we automatically collect:

IP address and approximate geographic location derived from IP
Browser type, version, and language settings
Operating system and device type
Pages visited, time spent on each page, and navigation paths
Referring URL and exit URL
Date and time of each visit
Clickstream data and user interaction events
Session identifiers and authentication tokens

2.4 Project and Communication Data

In the course of delivering software development services, we may collect and process:

Project requirements, technical specifications, and scope documents
Email correspondence and meeting notes
Files, documents, and assets shared with our team
Access credentials to client systems (stored in encrypted credential management systems)
Feedback, reviews, and satisfaction survey responses

3. Cookies and Tracking Technologies

Our website uses cookies and similar tracking technologies to enhance user experience, analyze traffic, and support marketing activities. Cookies are small text files stored on your device that help us recognize you and remember your preferences.

3.1 Types of Cookies We Use

Essential Cookies: Required for the website to function properly. These include session management cookies and security tokens. These cannot be disabled without affecting site functionality.
Analytics Cookies: We use Google Analytics 4 (GA4) to understand how visitors interact with our website. These cookies collect anonymized data about page views, session duration, bounce rates, and user flow. Data is aggregated and does not identify individual users.
Functional Cookies: Remember your preferences such as language settings, form autofill data, and previously selected options to improve your experience across sessions.
Marketing and Advertising Cookies: We may use Google Ads, Meta Pixel, and LinkedIn Insight Tag to measure the effectiveness of our advertising campaigns and to deliver relevant advertisements on third-party platforms. These cookies track conversions and may build anonymized audience profiles.

3.2 Cookie Management

You may manage your cookie preferences through your browser settings. Most browsers allow you to block, delete, or restrict cookies. Please note that disabling certain cookies may affect website functionality. You may also opt out of Google Analytics tracking by installing the Google Analytics Opt-out Browser Add-on available at tools.google.com/dlpage/gaoptout.

3.3 Do Not Track

Our website does not currently respond to "Do Not Track" signals from browsers. However, we honor opt-out requests submitted through our privacy request form or via email to ceo@whitethorngamesinc.com.

4. How We Use Your Information

We use the information we collect for the following purposes:

4.1 Service Delivery

To process project inquiries, proposals, and service agreements
To deliver, manage, and improve our software development services
To communicate with you about project status, milestones, and deliverables
To provide technical support and post-launch maintenance
To onboard new clients and manage ongoing client relationships

4.2 Business Operations

To process payments, issue invoices, and manage billing records
To comply with tax reporting obligations and maintain financial records
To enforce our Terms and Conditions and other contractual agreements
To conduct internal quality assurance and project retrospectives

4.3 Marketing and Communications

To send you newsletters, case studies, and service announcements (with your consent)
To follow up on project inquiries and consultations
To deliver targeted advertising on third-party platforms based on anonymized behavioral data
To request testimonials or case study participation (voluntary)

4.4 Legal and Compliance

To comply with applicable federal, state, and local laws and regulations
To respond to legal process, court orders, or government requests
To protect our legal rights, intellectual property, and business interests
To investigate and prevent fraud, security incidents, and policy violations

5. Legal Basis for Processing (GDPR)

For individuals located in the European Economic Area (EEA) or United Kingdom, we process personal data under the following legal bases as defined by the General Data Protection Regulation (GDPR) and UK GDPR:

Contractual Necessity (Article 6(1)(b)): Processing required to perform our service contracts, including delivering software development services, issuing invoices, and providing technical support.
Legitimate Interests (Article 6(1)(f)): Processing necessary for our legitimate business interests, including fraud prevention, security monitoring, and improving our services, where these interests are not overridden by your rights.
Consent (Article 6(1)(a)): Where you have provided explicit consent, such as opting into marketing communications or agreeing to cookie placement for analytics purposes.
Legal Obligation (Article 6(1)(c)): Processing required to comply with applicable legal obligations, including tax law, financial reporting requirements, and responses to lawful government requests.

6. Data Retention

We retain personal information for as long as necessary to fulfill the purposes described in this policy, subject to the following retention schedules:

Client Project Data: Retained for 7 years following project completion to comply with contractual warranty obligations and applicable statutes of limitations.
Financial Records: Retained for 7 years in accordance with IRS recordkeeping requirements and Pennsylvania state tax regulations.
Marketing Communications: Retained until you unsubscribe or request deletion, whichever occurs first.
Website Analytics Data: Retained for 26 months in Google Analytics (anonymized), then automatically deleted.
Inquiry and Contact Form Data: Retained for 3 years from the date of last contact if no service agreement is executed.
Employee and Contractor Records: Retained for 7 years following termination of the employment or contractor relationship.

Upon expiration of the applicable retention period, we will securely delete or anonymize personal information in accordance with industry best practices.

7. Data Security

Whitethorn Games, Inc. implements a comprehensive set of technical and organizational security measures to protect your personal information against unauthorized access, disclosure, alteration, or destruction. Our security practices include:

Encryption: All data transmitted between your browser and our servers is encrypted using TLS 1.3. Data at rest is encrypted using AES-256 encryption.
Access Controls: Access to personal data is restricted to authorized personnel on a need-to-know basis. Multi-factor authentication (MFA) is required for all internal systems.
Credential Management: Client access credentials are stored in enterprise-grade password management systems (HashiCorp Vault or equivalent) with full audit logging.
Penetration Testing: We conduct annual third-party penetration tests on our infrastructure and web applications.
Incident Response: We maintain a documented incident response plan. In the event of a data breach affecting your personal information, we will notify affected individuals and relevant authorities within the timeframes required by applicable law.
Vendor Security: All third-party vendors with access to personal data are required to maintain equivalent security standards and execute data processing agreements.

8. Sharing and Disclosure of Information

We do not sell, rent, or trade your personal information to third parties for their marketing purposes. We may share your information in the following limited circumstances:

8.1 Service Providers

We engage trusted third-party service providers to assist in delivering our services. These providers are contractually bound to process data only as directed by us and to maintain appropriate security standards. Current categories of service providers include:

Cloud hosting providers (Amazon Web Services, Microsoft Azure)
Payment processors (Stripe, Inc.; Braintree)
CRM and project management platforms (used internally)
Email delivery services (for transactional and marketing communications)
Analytics platforms (Google Analytics)
Legal and accounting professionals bound by confidentiality obligations

8.2 Business Transfers

In the event of a merger, acquisition, asset sale, or corporate restructuring, your personal information may be transferred as part of the transaction. We will provide notice before your personal information is transferred and becomes subject to a different privacy policy.

8.3 Legal Requirements

We may disclose your information if required to do so by law or in good-faith belief that such action is necessary to comply with legal obligations, protect our rights or property, prevent fraud or illegal activity, or protect the personal safety of our clients, employees, or the public.

9. International Data Transfers

Whitethorn Games, Inc. is based in the United States. If you are located outside the United States and choose to provide personal information to us, please note that we transfer and process that information in the United States, where data protection laws may differ from those in your jurisdiction.

For transfers of personal data from the EEA, UK, or Switzerland to the United States, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission as the legal mechanism for the transfer. Copies of applicable SCCs are available upon request.

10. Your Privacy Rights

10.1 Rights Under GDPR (EEA/UK Residents)

If you are located in the EEA or UK, you have the following rights under GDPR:

Right of Access: Request a copy of the personal data we hold about you.
Right to Rectification: Request correction of inaccurate or incomplete personal data.
Right to Erasure: Request deletion of your personal data, subject to applicable legal retention requirements.
Right to Restriction: Request that we restrict processing of your personal data in certain circumstances.
Right to Data Portability: Receive your personal data in a structured, machine-readable format and transfer it to another controller.
Right to Object: Object to processing based on legitimate interests or for direct marketing purposes.
Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent, without affecting the lawfulness of prior processing.

10.2 Rights Under CCPA (California Residents)

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) grants you the following rights:

Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you in the past 12 months.
Right to Delete: Request deletion of personal information we have collected, subject to certain exceptions.
Right to Correct: Request correction of inaccurate personal information.
Right to Opt-Out of Sale/Sharing: We do not sell personal information. If this changes, we will provide a "Do Not Sell or Share My Personal Information" link on our homepage.
Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

10.3 Exercising Your Rights

To exercise any of the rights described above, please submit a written request to: ceo@whitethorngamesinc.com. Include your full name, email address, and a description of your request. We will respond within 30 days (GDPR) or 45 days (CCPA) of receiving a verified request. We may require identity verification before processing sensitive requests.

11. Children's Privacy

Our Services are intended exclusively for business use by individuals who are 18 years of age or older. We do not knowingly collect, use, or disclose personal information from children under the age of 13. If we become aware that we have inadvertently collected personal information from a child under 13, we will promptly delete such information. If you believe we may have collected information from a minor, please contact us at ceo@whitethorngamesinc.com.

12. Third-Party Links and Services

Our website may contain links to third-party websites, tools, and services. This Privacy Policy applies only to information collected by Whitethorn Games, Inc. We are not responsible for the privacy practices of third-party websites and encourage you to review the privacy policies of any third-party services you access through our website.

13. Marketing Communications

With your consent, we may send you marketing emails, newsletters, and service announcements. You may unsubscribe from marketing communications at any time by clicking the "Unsubscribe" link included in every marketing email, or by emailing ceo@whitethorngamesinc.com with the subject line "Unsubscribe."

Please note that even after unsubscribing from marketing communications, you will continue to receive transactional emails related to active service agreements, invoices, and project communications.

14. Updates to This Privacy Policy

We reserve the right to update this Privacy Policy at any time to reflect changes in our practices, legal requirements, or business operations. When we make material changes, we will update the "Last Updated" date at the top of this policy and, where appropriate, notify you by email or by posting a prominent notice on our website. Your continued use of our Services after the effective date of any update constitutes your acceptance of the revised policy.

15. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Data Controller: Whitethorn Games, Inc.
Address: 11 E 12TH ST, ERIE, PA 16501-1905, United States
Email: ceo@whitethorngamesinc.com
Subject Line: Privacy Policy Inquiry

For EEA residents, if you believe we have not adequately addressed your privacy concerns, you have the right to lodge a complaint with your local data protection supervisory authority.