1. Introduction
This Privacy Policy describes how Britton Lorentzen, doing business as Empac, a sole proprietorship registered in Washington State ("we," "us," "Empac," or "blorentz"), collects, uses, retains, and shares information when you visit the blorentz.com website (the "Site") or engage with our consulting services, including the Website and Marketing Audit (collectively, the "Services").
By using the Site or engaging the Services, you agree to the practices described in this policy.
2. What We Collect
2.1 Information You Provide
When you interact with the Site and Services, you may provide:
Application and intake information:
- Name
- Email address
- Company or business name
- Product URL
- Description of your build, tools used, current situation, and goals
- Tier preference and any context you provide in form fields
Engagement information (audit clients):
- Code repository access (read-only)
- Database, backend, and infrastructure access credentials
- Product descriptions, brand assets, and analytics data
- Communications with us via email, video calls, or other channels
Payment information:
- Billing name and address
- Payment method details (processed by Stripe; we do not store full payment card data)
2.2 Information Collected Automatically
When you visit the Site, we collect:
- IP address and approximate geographic location
- Browser type, operating system, and device identifiers
- Pages visited, time on page, and referral source
- Interactions with the Site (clicks, form submissions, scroll depth)
We may use cookies, local storage, and similar technologies for analytics, session management, and site functionality. You can control cookies through your browser settings.
2.3 Client Portal Access Logs
For audit clients, we log access events on your dedicated client portal, including:
- Authentication attempts (successful and failed)
- Page views within the portal
- Download events
- IP address and approximate location of access
This data is used for security, abuse detection, and aggregate analytics. It is not sold or shared with third parties.
2.4 Information We Do Not Collect
We do not knowingly collect:
- Information from individuals under the age of 18
- Sensitive personal information (race, religion, sexual orientation, biometric data) unless voluntarily provided in the course of an engagement
- Protected Health Information (PHI) under HIPAA (our Services are not available to HIPAA-covered entities)
3. How We Use Your Information
We use the information we collect to:
- Evaluate your application and determine engagement fit
- Schedule and deliver the audit and related services
- Process payments
- Provide ongoing support during your engagement
- Maintain and operate your client portal
- Communicate with you about your engagement and any follow-up matters
- Improve the Site, Services, and our marketing materials
- Detect, prevent, and respond to fraud, abuse, or security incidents
- Comply with legal obligations
3.1 Use of Engagement Content for Marketing
As stated in our Terms of Use, we may use anonymized patterns, observations, and aggregate findings from audits for case studies, blog content, social media content, and other marketing materials. No identifying information about you or your product will be disclosed without your prior written consent.
You may opt out of marketing use of your engagement (including anonymized use) by providing written notice before audit delivery.
3.2 We Do Not Sell Your Personal Information
We do not sell, rent, or trade your personal information to third parties for their marketing purposes.
4. How We Share Your Information
We share information with the following categories of third parties, all of whom act as data processors on our behalf:
4.1 Service Providers
| Provider | Purpose | Data Shared |
|---|---|---|
| Supabase | Database, authentication, file storage | Application data, portal authentication, audit content |
| Vercel | Application hosting | All Site traffic and application logs |
| Cloudflare | Video hosting (Cloudflare Stream), CDN, analytics | Audit recordings, Site traffic data |
| Stripe | Payment processing | Payment details, billing information |
| Email (Gmail), Google Meet for audit sessions, Google Drive (optional working copies) | Communications, video session data, any content you elect to share via Google Drive | |
| MailerSend, MailerLite | Transactional email and newsletter delivery | Email content, engagement metadata |
| Plausible Analytics, Google Analytics | Site analytics and event tracking | Site usage data |
| Cal.com | Discovery call and audit session scheduling | Name, email, scheduled time |
Each service provider is bound by their own privacy policy and data processing terms. We select providers with reasonable security and privacy practices.
4.2 Legal Compliance
We may disclose information if required to do so by law, regulation, court order, or legal process, or if we believe disclosure is necessary to protect our rights, the safety of any person, or to investigate fraud or abuse.
4.3 Business Transfers
In the event of a sale, merger, acquisition, or other business transfer involving Empac, your information may be transferred as part of that transaction. You will be notified in advance of any such transfer that materially affects how your information is used.
4.4 With Your Consent
We may share information in other ways not described above with your explicit consent.
5. Data Retention
We retain information for the following periods:
5.1 Application Data
Applications that do not convert to engagements are retained for twelve (12) months from submission, then deleted unless you have requested otherwise or unless retention is required by law.
5.2 Audit Engagement Data
For active and completed audit engagements:
- Client portal contents (recording, written assessment, related materials): Hosted for twelve (12) months from audit delivery
- Archive retention: Audit deliverables retained in a private archive for an additional twelve (12) months following portal deactivation (total of twenty-four (24) months from audit delivery)
- After 24 months: Audit deliverables may be permanently deleted at our discretion
5.3 Business Records
Invoices, payment records, and other business documentation are retained for seven (7) years to comply with tax and accounting obligations.
5.4 Communications
Email correspondence and meeting records are retained at our discretion for ongoing client relationships and reference purposes. You may request deletion of specific communications subject to legal retention obligations.
5.5 Access Logs
Client portal access logs are retained for twelve (12) months from the date of access for security and abuse detection purposes.
6. Your Rights
6.1 General Rights
You have the right to:
- Access the personal information we hold about you
- Correct inaccurate information
- Delete your information, subject to legal retention obligations
- Object to certain uses of your information
- Receive a copy of your information in a portable format
To exercise these rights, contact us at Britton@empac.co. We will respond within thirty (30) days.
6.2 California Residents (CCPA/CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act, including the right to:
- Know what personal information we collect, use, disclose, and sell
- Request deletion of your personal information
- Opt out of the sale of your personal information (we do not sell personal information)
- Non-discrimination for exercising your privacy rights
6.3 European Residents (GDPR)
If you are located in the European Economic Area, United Kingdom, or Switzerland, you have rights under the General Data Protection Regulation, including:
- The right to access, rectify, or erase your personal data
- The right to restrict or object to processing
- The right to data portability
- The right to lodge a complaint with a supervisory authority
6.4 Other Jurisdictions
Residents of other U.S. states and countries may have additional rights under applicable privacy laws. Contact us to exercise any rights you have under your local law.
7. Security
We take reasonable measures to protect the information we collect, including:
- HTTPS encryption for all Site traffic
- Encrypted storage of sensitive data (Supabase encryption at rest; encrypted credential management for client portal access)
- Row-level security policies on database access
- Magic link authentication for client portals (no passwords stored or transmitted)
- Access logging for security monitoring
- Reasonable employee and contractor training on data handling (currently a sole proprietorship; no employees)
7.1 No Guarantee of Absolute Security
No security measures are perfect. We cannot guarantee absolute security of information transmitted over the internet or stored electronically. By using the Services, you accept this inherent risk.
7.2 Breach Notification
If we become aware of a security incident affecting your personal information, we will notify you in accordance with applicable law, typically within seventy-two (72) hours of confirmation.
8. Third-Party Links and Services
The Site may contain links to third-party websites, services, and tools. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing information to them.
9. Children's Privacy
The Services are not directed at individuals under 18, and we do not knowingly collect personal information from anyone under 18. If you believe we have collected information from a minor, contact us immediately and we will take steps to delete it.
10. International Data Transfers
Empac operates from Washington State, United States. If you access the Services from outside the United States, your information may be transferred to, stored, and processed in the United States. By using the Services, you consent to this transfer.
For users in jurisdictions with data localization requirements, please contact us to discuss whether the Services can be provided in compliance with those requirements.
11. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email to active and recent clients and reflected by the "Last updated" date at the top of this page. We encourage you to review this policy periodically.
12. Contact
For privacy questions, data requests, or concerns:
Britton Lorentzen Empac Britton@empac.co 4904 168th Ave E, Lake Tapps, WA 98391