Privacy Policy

Effective Date: 4/5/2026 (Version 7)

Privacy Policy

Last Updated: April 5, 2026

This Privacy Policy ("Policy") describes how Meerkat 9000, LLC ("Company," "we," "us," or "our") collects, uses, stores, shares, and protects information in connection with the Remote Timers platform, including all websites, applications, dashboards, APIs, timer displays, and related services (collectively, the "Service").

BY ACCESSING OR USING THE SERVICE, YOU ACKNOWLEDGE THAT YOU HAVE READ, UNDERSTOOD, AND AGREE TO THIS PRIVACY POLICY. If you do not agree, you must not use the Service.

1. Scope and Applicability

This Policy applies to all users of the Service, including individuals, businesses, venue operators, employees, contractors, and any automated systems, bots, scripts, crawlers, or artificial intelligence agents that interact with the Service.

The Service is intended primarily for users located in the United States. The Service is not intended for residents of the United Kingdom, the European Union, the European Economic Area, or any other jurisdiction that imposes data protection obligations beyond those of the United States, including but not limited to jurisdictions subject to the General Data Protection Regulation (GDPR), the UK Data Protection Act 2018, or the Bundesdatenschutzgesetz (BDSG). If you access the Service from such jurisdictions, you do so entirely at your own risk. You acknowledge and agree that we make no representation of compliance with GDPR, BDSG, or any similar non-U.S. data protection regulation, and that we disclaim all liability arising from your access or use of the Service from a non-U.S. jurisdiction.

2. Information We Collect

2.1 Information You Provide Directly

We may collect information you voluntarily provide, including but not limited to:

  • Name, email address, phone number
  • Account credentials and authentication data
  • Multi-factor authentication credentials, including authenticator app configuration data, hardware security key and passkey public keys, and hashed recovery codes
  • Business or venue information
  • Billing and subscription details (processed via third-party providers)
  • Communications sent to us (support requests, emails, feedback)

2.2 Information Received from Third-Party Authentication Providers

When you sign in using a third-party identity provider (e.g., Google), we receive and store certain information from that provider, which may include:

  • Name and email address
  • Profile photograph or avatar
  • Unique account identifier issued by the provider
  • Email verification status

We use this information to create or link your account, verify your identity, and provide the Service. We do not receive or store your third-party provider password. The information shared with us is governed by your privacy settings with the third-party provider and that provider's own privacy policy.

2.3 Automatically Collected Information

When you access or use the Service, we may automatically collect:

  • IP address, device identifiers, browser type, operating system
  • Usage data, logs, timestamps, and interaction metadata
  • Session data, cookies, local storage identifiers
  • Error logs, crash reports, performance metrics

We may collect this information even if you do not create an account or log in.

2.4 Timer and Display Data

Timer configurations, themes, durations, and display states may be stored and transmitted in real time. You acknowledge that publicly accessible timer pages may expose limited, non-sensitive information by design.

2.5 Authentication Credential Data

When you enable multi-factor authentication, we store: (a) encrypted TOTP secrets for authenticator apps; (b) public key material for registered passkeys and hardware security keys (public keys can verify your identity but cannot impersonate you); (c) bcrypt-hashed recovery codes (one-way hash, cannot be reversed to reveal original codes); (d) credential metadata including device type, registration date, and last use date. We do not store: biometric data, private keys, PIN codes, or any information that could be used to impersonate your authentication credentials.

3. How We Use Information

We use collected information for purposes including, but not limited to:

  • Providing, operating, and maintaining the Service
  • Authentication, authorization, and account management
  • Billing, payments, and subscription enforcement
  • Security monitoring, fraud prevention, and abuse detection
  • Improving performance, features, and user experience
  • Communicating with users, including service-related and marketing messages
  • Measuring advertising effectiveness and delivering relevant advertisements (only with your consent)
  • Legal compliance and enforcement of our Terms

WE MAY USE DATA IN AGGREGATED, ANONYMIZED, OR DERIVED FORMS FOR ANY LEGITIMATE BUSINESS PURPOSE.

4. Cookies and Tracking Technologies

We use cookies, local storage, and similar technologies to operate the Service, maintain sessions, enforce rate limits, store consent preferences, and improve functionality.

4.1 Cross-Domain Cookie Sharing

The Service operates across multiple domains and subdomains (e.g., a marketing site and an application site). Certain cookies, including your consent preferences and authentication tokens, are set on the parent domain so that they are accessible across all subdomains. This means that when you accept or reject cookies on one part of the Service, that choice is recognized across all parts of the Service without requiring you to consent again.

4.2 Types of Cookies

Cookies used by the Service may include:

  • Strictly Necessary Cookies: Required for the Service to function, including authentication, session management, consent storage, and security cookies. These cannot be disabled.
  • Functional Cookies: Used to remember your preferences and settings.
  • Analytics Cookies: Help us understand how users interact with the Service so we can improve it. Only set with your consent.
  • Marketing Cookies: Used to deliver relevant advertisements and measure advertising effectiveness. Only set with your consent.

You acknowledge that disabling strictly necessary cookies may impair or prevent use of the Service. You may manage your cookie preferences at any time through the cookie settings accessible from the Service.

Detailed information about specific cookies is available in our Cookie Policy.

5. Third-Party Services and Data Sharing

We may share information with third-party service providers who assist us in operating the Service, including but not limited to:

  • Identity and authentication providers (e.g., Google) for account creation, sign-in, and identity verification
  • Payment processors (e.g., Stripe)
  • Hosting and database providers (e.g., cloud infrastructure, managed databases)
  • Analytics and monitoring services (e.g., Google Analytics)
  • Advertising and conversion tracking services (e.g., Meta / Facebook)
  • Email, SMS, or notification delivery services

These providers are authorized to process data solely to perform services on our behalf. Each third-party provider operates under its own terms of service and privacy policy, which we encourage you to review.

When you authenticate via a third-party provider, information may flow between the Service and that provider as necessary to verify your identity and maintain your account. We may share your email address with authentication providers to facilitate account linking and deduplication as described in our Terms of Service.

5.1 Advertising and Conversion Tracking

When you consent to marketing cookies, we share certain information with Meta Platforms, Inc. ("Meta") through both client-side tracking (Meta Pixel) and server-side data sharing (Meta Conversions API). Information shared may include:

  • A cryptographically hashed (non-reversible) version of your email address
  • A cryptographically hashed (non-reversible) version of your user account identifier
  • Your IP address (for user-initiated events only)
  • Your browser user agent string (for user-initiated events only)
  • Page URLs you visit on the Service (for user-initiated events only)
  • Conversion events, such as account registration, checkout initiation, trial starts, and purchases
  • Subscription lifecycle events, such as plan upgrades, plan downgrades, subscription cancellations, and subscription renewals

User-Initiated Events

When you take actions on the Service (such as registering, checking out, or upgrading your plan), conversion events are sent to Meta from both the client-side pixel in your browser and from our servers. These events include your IP address, browser information, and the page URL where the action occurred.

System-Generated Lifecycle Events

Certain subscription events occur on our servers without direct browser interaction — for example, when a subscription automatically renews, or when a cancellation takes effect. When these events occur, we send them to Meta from our servers using only your hashed email address and hashed user account identifier. No IP address, browser information, or page URL is included in system-generated events because there is no associated browser session.

This data is used by Meta to measure the effectiveness of our advertising campaigns and to deliver relevant advertisements. This sharing occurs only when you have given marketing consent through the cookie preference settings on the Service. If you reject or revoke marketing cookies, no data is sent to Meta through either client-side or server-side mechanisms, including system-generated lifecycle events.

Each event sent to Meta includes a unique event identifier that is shared between the client-side pixel and the server-side Conversions API. This allows Meta to deduplicate events and prevents double-counting.

We do not store conversion event data in our own database. Events are transmitted directly to Meta's servers at the time they occur and are not retained by us.

5.2 California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act ("CCPA"), as amended by the California Privacy Rights Act ("CPRA"), provides you with specific rights regarding your personal information.

Categories of Personal Information Collected

We collect the following categories of personal information as described in Section 2 of this Policy:

  • Identifiers: Name, email address, account credentials, IP address, browser identifiers
  • Commercial Information: Subscription and billing records, transaction history
  • Internet or Electronic Network Activity: Usage data, browsing history on the Service, interaction metadata, device and browser information
  • Inferences: Advertising interest profiles created by third-party advertising partners based on your activity

Categories of Personal Information Shared for Targeted Advertising

When you consent to marketing cookies, the following categories of personal information may be shared with Meta for purposes of cross-context behavioral advertising:

  • Identifiers: A hashed version of your email address and a hashed version of your user account identifier
  • Internet or Electronic Network Activity: Pages visited on the Service, conversion events (registration, checkout, purchases), and subscription lifecycle events (upgrades, downgrades, cancellations, renewals)

This sharing constitutes "sharing" for cross-context behavioral advertising under the CCPA. It does not constitute a "sale" of personal information, as no monetary consideration is exchanged.

Global Privacy Control (GPC)

We detect and honor the Global Privacy Control (GPC) signal as a valid opt-out of the sharing of personal information for cross-context behavioral advertising, as required by CCPA/CPRA regulations (Cal. Civ. Code section 1798.135(e)).

When we detect a GPC signal from your browser:

  • All sharing of personal information with Meta for targeted advertising is immediately ceased for that browser and, if you are signed in, for your account.
  • Analytics and marketing cookies are not set on that browser.
  • The GPC opt-out is recorded on your account to ensure server-side tracking also respects your preference.

We do not treat the absence of a GPC signal on a subsequent visit as consent to resume sharing. If you previously sent a GPC signal and later visit without one, your prior opt-out remains in effect on your account unless you explicitly opt back in through the cookie settings.

Your California Privacy Rights

  • Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you. See Section 9.1 for how to exercise this right.
  • Right to Delete: You may request deletion of your personal information. See Section 9.2 for how to exercise this right.
  • Right to Correct: You may request correction of inaccurate personal information. See Section 9.3.
  • Right to Opt Out of Sharing for Targeted Advertising: You may opt out of the sharing of your personal information for cross-context behavioral advertising at any time by rejecting marketing cookies through the cookie preference settings accessible from the Service, or by enabling Global Privacy Control (GPC) in your browser. When you opt out, no personal information is shared with Meta or any other advertising partner.
  • Right to Limit Use of Sensitive Personal Information: We do not use or disclose sensitive personal information for purposes beyond those permitted by the CCPA.
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights. You will not receive different pricing, quality, or service levels based on your privacy choices.

To exercise your rights, use the tools provided in your account settings (see Section 9) or contact us through the Service.

We may also disclose information if required by law, legal process, or governmental request, or to protect the rights, property, or safety of the Company, our users, or others.

6. Data Retention and Deletion

6.1 Retention During Active Use

We retain your personal information for as long as your account is active and as necessary to provide the Service, comply with legal obligations, resolve disputes, and enforce our agreements.

6.2 Retention After Account Deletion

When you delete your account (see Section 9 below), we permanently delete your personal data from our systems, including your profile information, timers, settings, themes, branding, usage records, connection history, uploaded files, consent records, authentication credentials, and all multi-factor authentication data including authenticator secrets, registered passkey and hardware key credentials, recovery code hashes, and verification session records.

The following limited information may be retained after account deletion:

  • Anonymized audit records: Internal billing reconciliation and webhook event logs are retained with all personally identifiable information removed (replaced with a non-reversible placeholder). These anonymized records cannot be linked back to you and are maintained solely for billing integrity and fraud prevention purposes.
  • Aggregated or anonymized data: We may retain data in aggregated or anonymized form that cannot identify you, for analytics and business improvement purposes.

6.3 Retention of Payment Processor Records

Our payment processor (Stripe) may retain certain transaction records independently in accordance with its own privacy policy and legal obligations. Deletion of your account from our Service includes deletion of your customer record from Stripe, but Stripe may retain internal records as required by financial regulations.

6.4 Backup and Recovery Systems

Deleted data may persist in encrypted backup systems for a limited period as part of our standard disaster recovery processes. Backup data is not actively used and is overwritten in the normal course of backup rotation.

6.5 Third-Party Advertising Data

When you delete your account, we clear all tracking cookies (including Meta Pixel and click identifiers) from your browser. However, data previously sent to third-party advertising services (such as Meta) while your marketing consent was active is retained by those services in accordance with their own data retention policies. To request deletion of data held by Meta, visit Meta's privacy settings at facebook.com/privacy. To request deletion of data held by Google, visit myaccount.google.com.

7. Data Security and Risk Acknowledgment

We implement reasonable administrative, technical, and organizational measures to protect information. However, NO SYSTEM IS COMPLETELY SECURE.

You acknowledge and agree that:

  • Data transmission over the internet carries inherent risks
  • We cannot guarantee absolute security
  • You use the Service and provide information at your own risk

TO THE MAXIMUM EXTENT PERMITTED BY LAW, WE DISCLAIM LIABILITY FOR UNAUTHORIZED ACCESS, DATA BREACHES, OR DATA LOSS.

8. Marketing Communications

By providing contact information, you consent to receive communications from us, including marketing messages, subject to applicable law.

You may opt out of marketing communications where required by law, but you may continue to receive transactional or service-related messages.

9. Your Rights and Choices

You have the following rights with respect to your personal information held by the Service:

9.1 Right to Access and Data Export

You may request a copy of the personal data we hold about you at any time. The Service provides a data export feature accessible through your account settings that allows you to download a machine-readable copy (JSON format) of your data, including:

  • Your profile and account information (excluding security credentials such as password hashes and two-factor authentication secrets)
  • Timer configurations and presets
  • Settings and preferences
  • Connection and usage history
  • Theme customizations and favorites
  • Consent preferences and history, including consent source and GPC detection status
  • Legal document acceptance records
  • Billing history, including subscription details, invoices, and payment methods (redacted to card brand and last four digits only)
  • Marketing and tracking status, including current consent preferences and descriptions of data shared with third-party services
  • Multi-factor authentication status, registered credential metadata (names, types, dates — excluding cryptographic material and recovery code hashes for security)

9.2 Right to Deletion

You may request deletion of your account and all associated personal data at any time through the account settings within the Service. Deletion is available in two modes:

  • Immediate Deletion: Your account and all data are permanently deleted upon confirmation. Any active subscription is canceled immediately. Unused subscription time is forfeited with no refund or credit. All tracking cookies are cleared from your browser.
  • Scheduled Deletion: If you have an active subscription, you may schedule deletion for the end of your current billing period. You retain full access until then and may cancel the deletion request at any time before it takes effect.

For full details on the account deletion process, including the effect on subscriptions and data, see Section 5.4 of our Terms of Service.

9.3 Right to Correction

You may update or correct your personal information at any time through your account settings, including your name, email address, venue name, and branding information.

9.4 Right to Withdraw Consent

You may withdraw your consent for optional data processing (such as analytics and marketing cookies) at any time through the cookie settings accessible from the Service. You may also enable Global Privacy Control (GPC) in your browser to automatically opt out of analytics and marketing data sharing. Withdrawal of consent does not affect the lawfulness of processing performed prior to withdrawal. Note that strictly necessary cookies required for the Service to function cannot be disabled.

9.5 Limitations

While we endeavor to honor all legitimate requests, we may deny or limit requests where:

  • Fulfillment is not technically feasible (e.g., data has already been anonymized or aggregated);
  • The request is excessive, repetitive, or manifestly unfounded;
  • Compliance would violate applicable law or a legal obligation;
  • Compliance would compromise security, fraud prevention, or the rights of other users.

If we deny a request, we will provide the reason for the denial.

10. Children's Privacy

The Service is not directed to children under 13. We do not knowingly collect personal information from children. If you believe a child has provided information, contact us.

11. Changes to This Policy

We reserve the right to update this Policy at any time. Changes become effective upon posting. If we make material changes that affect your rights or how we process your personal data, we will notify you through the Service or via the email address associated with your account. Continued use of the Service after changes become effective constitutes acceptance of the revised Policy.

12. Contact Information

If you have questions about this Privacy Policy, wish to exercise your rights under Section 9 or Section 5.2, or have concerns about how your data is handled, please contact us through the Service or via our official business contact information.