Privacy policy.

This Privacy Policy explains how 802 Software, LLC (“802.software,” “we,” “us”) collects, uses, retains, and discloses personal information when you visit https://802.software, submit an inquiry, engage us for software development services, or use any of our sub-applications (collectively, the “Services”).

We are a small, senior-led studio based in South Burlington, Vermont. We do not sell personal information, we do not run advertising networks, and we do not load third-party trackers for behavioral profiling. The default posture is to collect the minimum necessary to do the work you’ve asked us to do — and to be explicit when that line moves.

This policy is written in plain English. Where a defined legal term matters, we say so. If anything below conflicts with a signed engagement agreement, the engagement agreement controls for that engagement.

This policy applies to:

• The 802.software marketing site at https://802.software.
• Inquiries submitted via our contact form or sent to hello@802.software.
• Personal data handled during paid engagements, where 802.software is acting as a service provider or processor under your direction.
• Demo sub-apps published at 802.software/apps/* (mdmotors, pacelit, splitnpay) when used in their public, marketing-facing mode.

It does not apply to (a) software we build and hand off to you that you then operate on your own infrastructure, or (b) the privacy practices of third-party sites we link to. Each sub-app may also publish its own policy that supplements this one with app-specific details.

Information you provide directly

• Contact form & email. Name, work email, company, project description, budget range, and anything else you choose to share.
• Engagement records. Statements of work, invoices, deliverables, communications, and feedback related to a paid engagement.
• Newsletter / RSS. If you subscribe, your email address and engagement metadata (opens, clicks where applicable).

Information collected automatically

• Server & CDN logs. IP address, user agent, referrer, request path, response status, and timestamp. Used for security, abuse prevention, and operational debugging.
• Privacy-respecting analytics. Aggregated, cookieless page-view counts and approximate geography (country / region) for understanding which content is useful. No cross-site profiling.
• Cookies and storage. See Cookies and similar technologies below.

Information from clients during an engagement

When you engage us, you may share personal information about your customers, employees, or end-users so we can build and operate software on your behalf. In that role we act as a processor (GDPR) or service provider (CCPA/CPRA), processing personal data only on your documented instructions. The specifics live in your master agreement and any data processing addendum (DPA) we sign with you.

Sensitive categories

We do not knowingly collect special categories of personal data (health, biometric, precise geolocation, government IDs, children’s data) from the public website. If an engagement involves regulated data — e.g. PHI under HIPAA or cardholder data under PCI — we handle it under a separate, signed agreement with appropriate safeguards.

We use the information described above to:

• Respond to inquiries, qualify fit, schedule discovery calls, and produce proposals.
• Negotiate, deliver, support, and bill for engagements you’ve hired us for.
• Operate, secure, and improve the website and sub-apps — including detecting abuse, debugging, and capacity planning.
• Send transactional messages (replies, invoices, scheduling) and, only if you opt in, newsletter updates.
• Comply with legal obligations (tax, accounting, lawful requests) and enforce our agreements.

We do not use your data to train third-party AI models, build advertising profiles, or sell to data brokers. If an internal tool we use enables vendor-side training by default, we disable it where the option exists and prefer vendors that offer that toggle.

If you are in the European Economic Area, the United Kingdom, or Switzerland, we rely on the following legal bases under the GDPR / UK GDPR:

• Performance of a contract — to negotiate and deliver an engagement you’ve asked for.
• Legitimate interests — running, securing, and improving the website and our business operations, where those interests are not overridden by your rights.
• Consent — for newsletter sign-ups and any non-essential cookies (we currently don’t use any).
• Legal obligation — accounting, tax, and lawful requests.

You can withdraw consent at any time — see Your rights. Withdrawal doesn’t affect the lawfulness of processing before the withdrawal.

The 802.software marketing site is designed to function without setting any non-essential cookies. We may use:

• Strictly necessary storage for session state (e.g. remembering you dismissed a notice). These are first-party and short-lived.
• Operational logs at the CDN / hosting layer, as described above.

We do not use third-party advertising cookies, retargeting pixels, or cross-site tracking. If we ever introduce analytics that set identifying cookies, we will add a consent banner first and update this section before turning them on.

You can control cookies through your browser settings, including blocking them entirely. Doing so may impair some interactive features.

We share personal information only with vendors who help us run the studio, and only the data they need to perform their function. Our core sub-processors at the time of writing:

• Vercel — hosting and edge CDN for the marketing site.
• Cloudflare — DNS, network protection, edge security.
• Email provider (transactional / newsletter) — delivery of replies and opt-in updates.
• Cloud infrastructure (AWS / GCP) — engagement-specific environments, governed by your DPA.
• Productivity tools (Google Workspace, GitHub) — internal collaboration, code hosting, and document storage.
• Accounting and payments — invoicing and tax-reporting providers.

We also disclose information when required by law, to enforce our agreements, or to protect the rights, safety, and property of 802.software, our clients, or the public. In a sale or restructuring of the business, personal data may transfer to the acquirer under this same policy.

We do not sell personal information and we do not share it for cross-context behavioral advertising, as those terms are defined under U.S. state privacy laws.

We keep personal data only as long as we need it for the purposes above, then we delete or anonymize it. Default windows:

• Inquiry data — up to 24 months after our last meaningful contact, then archived or deleted.
• Engagement records and deliverables — 7 years after engagement close, to meet contractual, tax, and warranty obligations.
• Server logs — typically 30–90 days, except where retained for investigation of a security incident.
• Newsletter subscriptions — until you unsubscribe, plus a short suppression record so we don’t re-email you.
• Backups — encrypted backups roll out within 90 days of the live deletion.

Specific engagements can override these windows via your DPA or statement of work.

We are based in the United States, and most of our sub-processors are too. When personal data of EEA, UK, or Swiss residents is transferred to the U.S. or another third country, we rely on appropriate safeguards: Standard Contractual Clauses, the EU–U.S. Data Privacy Framework where our vendors are certified, and additional technical measures (encryption in transit and at rest, access controls).

You can request a copy of the relevant transfer mechanism by emailing us at hello@802.software.

Security is a continuous practice, not a one-time checkbox. We describe our program in more detail on our Security page, including responsible disclosure. At a high level:

• Encryption in transit (TLS 1.2+) and at rest (AES-256 or equivalent) for personal data we store.
• Least-privilege access controls with SSO, hardware-key MFA, and quarterly access reviews.
• Centralized logging and alerting on production systems.
• Documented incident-response process with breach-notification commitments aligned to GDPR’s 72-hour window where applicable.
• Vendor due-diligence and DPAs with sub-processors that handle personal data.

No system is perfectly secure. If you believe you’ve found a vulnerability or your data has been exposed, please contact us at security@802.software.

Depending on where you live, you may have some or all of the following rights:

• Access — request a copy of personal data we hold about you.
• Correction — ask us to fix inaccurate or incomplete information.
• Deletion — ask us to delete your information, subject to legal-retention exceptions.
• Portability — receive your information in a portable, machine-readable format.
• Restriction / objection — limit or object to certain processing, including legitimate-interest processing.
• Withdraw consent — for processing based on consent.
• Non-discrimination — we will not retaliate for exercising any of these rights.

To exercise a right, email hello@802.software with the subject “Privacy request.” We’ll respond within the timeline required by the applicable law (typically 30–45 days). We may need to verify your identity before acting on a request.

California residents may also designate an authorized agent to make a request on their behalf. EEA/UK residents have the right to lodge a complaint with their local supervisory authority.

Our Services are intended for businesses and adults. We do not knowingly collect personal information from children under 16. If you believe a child has provided us personal information, contact hello@802.software and we will delete it.

We may update this policy as our practices evolve. When we make material changes, we’ll update the “Last updated” and “Effective” dates and, where appropriate, notify you through the website, email, or your engagement contact.

Continued use of the Services after a change indicates acceptance of the updated policy.

For privacy questions, requests, or feedback on this policy:

• Email — hello@802.software (subject: “Privacy”)
• Security / incidents — security@802.software
• Postal — 802 Software, LLC, 180 Market Street, South Burlington, VT 05403, US