Legal

Privacy Policy

Last updated: July 6, 2026

This Privacy Policy explains how NobleRise Digital Marketing (“NobleRise,” “we,” “us,” “our”) collects, uses, discloses, retains, and protects personal information, and the rights you have. It applies to our marketing website, our subscription platform and dashboards (the “Service”), and our connected integrations. We act as a business / data controller for our own account holders and website visitors, and as a service provider / data processor for the client and end-customer data our account holders manage through the Service.

Company details: NobleRise Digital Marketing [insert registered legal entity, e.g. “NobleRise Digital Marketing LLC”], [business mailing address, City, State ZIP]. Privacy contact: privacy@noblerise.com. We are based in the United States (Montana).

1. Information we collect

We collect the following categories of personal information:

  • Identifiers & account data: name, email, hashed password, role, job title, phone, extension, work email.
  • Employer / HR data (only if you use those features): compensation, time-off, availability, payroll and accounting entries you input.
  • Clients you manage: business name, website, category, location, contacts, monthly fee, and the marketing data generated for them (audits, rankings, ROI).
  • Leads & contacts: contact details captured through your website forms, call/chat tools, and the AI agents.
  • Commercial / usage data: subscription and plan status, feature usage, and support requests.
  • First-party website analytics: anonymous visit, click, phone-tap, and sale/conversion events on sites where you install our tag — using random first-party IDs. We do not operate cross-site tracking or third-party identity graphs.
  • Payment data: processed by Stripe; we store a customer ID and subscription status and never store full card numbers.
  • Connected-account data: tokens and data you authorize us to access from third parties (e.g. Google — see Section 4), stored encrypted at rest.
  • Device & log data: IP address, browser type, and security/audit logs, used to operate and secure the Service.

Sources: directly from you; automatically from your use of the Service; from your website visitors (via the tag you install); and from third-party services you connect (e.g. Google, Stripe).

2. How we use information & our legal bases

We use personal information to: provide and operate the Service and the tools you request; process billing, payroll and accounting you enter; find, capture, and follow up on leads on your behalf; generate audits, content, and reports; send transactional and service messages; provide support; secure and improve the Service; and comply with legal obligations.

Where the EU/UK GDPR applies, our legal bases are: performance of a contract (to deliver the Service), legitimate interests (to secure, improve, and operate the Service), consent (where required, e.g. certain communications — withdrawable at any time), and legal obligation.

We do not sell personal information, we do not “share” it for cross-context behavioral advertising, and we do not use client, lead, or connected-account data to train third-party AI models beyond carrying out your specific request.

3. Google user data & Limited Use

When you connect a Google account, we access only the data needed for the feature you enable, using Google OAuth. Depending on the features you turn on, this may include:

  • Google Analytics (GA4) — read-only traffic metrics, to show your website performance and ROI.
  • Google Search Console — read-only search clicks, impressions, and query/position data, to report and improve your search visibility.
  • Google Ads — campaign, spend, and performance data (and, where you authorize it, ad-management actions), to analyze, report, and optimize your advertising.
  • Google Business Profile — profile, review, and post data, to manage your local presence (where enabled).

How we handle it: Google data is used only to provide these user-facing features to you; it is stored encrypted at rest and access is restricted to your organization under role-based controls; it is not used for advertising; it is not sold or transferred to third parties except sub-processors that help deliver the feature (Section 5), to comply with law, or as part of a business transfer with notice; and it is deleted or de-identified when you disconnect the integration or close your account, subject to legal retention. You can revoke our access at any time in your Google Account permissions or by contacting us.

NobleRise's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically, we do not use Google user data for serving ads, we do not sell it, we do not transfer it except as needed to provide or improve user-facing features, to comply with applicable law, or as part of a merger/acquisition (with notice), and we do not allow humans to read it except with your consent, for security/abuse/legal reasons, or where the data has been aggregated and anonymized.

4. Automated processing & AI

The Service uses AI models (e.g. Anthropic Claude, Perplexity) to generate audits, content, scoring, and recommendations from the data you provide or connect. These outputs are decision aids, not automated decisions with legal or similarly significant effect; a human reviews and approves actions that touch your live accounts. We do not use your data to train third-party foundation models. Where automated decision-making rights apply to you, contact us to request human review.

5. How we share information & sub-processors

We disclose personal information only to service providers/processors that help us run the Service, each under a contract limiting their use of the data:

  • Stripe — payments & billing.
  • Anthropic and Perplexity — AI generation and live research.
  • Google — Analytics, Search Console, Ads, Business Profile, Places (per Section 3).
  • Resend — transactional & campaign email; Twilio / Vapi — SMS/voice (if enabled); CallRail — call tracking (if enabled).
  • Railway (or our then-current hosting/infrastructure provider) — application & database hosting.

We may also disclose information to comply with law or valid legal process, to enforce our terms, to protect rights and safety, or in connection with a merger, acquisition, or asset sale (with notice as required). We maintain a current sub-processor list and sign a Data Processing Agreement (DPA) with each provider. We do not sell or share personal information for cross-context behavioral advertising.

6. Data retention

We keep personal information for as long as your account is active and as needed to provide the Service, then for the period required for legal, tax, accounting, dispute-resolution, and security purposes. First-party analytics events are retained on a rolling basis. Cancelling revokes access immediately; after that you may request deletion, and we delete or de-identify data within the timeframe your law requires (generally within 30 days of a verified request), except where retention is legally required.

7. How we protect information

  • Encryption in transit (HTTPS enforced via HSTS) and encryption at rest for sensitive stored secrets and OAuth tokens (AES-256-GCM).
  • Passwords hashed with bcrypt; optional two-factor authentication (TOTP).
  • Role-based, least-privilege access control; every page and API is access-checked; multi-tenant isolation between organizations.
  • Login brute-force throttling, input validation, SSRF protection, security headers/CSP, and an audit log of sensitive actions.
  • API keys stored as hashes, rate-limited and revocable; webhooks are signed.
No method of transmission or storage is 100% secure, but we work to protect your information and continually improve our controls.

8. Your privacy rights

Everyone. You may request to access, correct, delete, or export your personal information, and to object to or restrict certain processing. Account holders can also edit or delete clients and employees directly in the platform, and admins can fulfil export/erasure requests in the Data & Privacy console.

EU / UK (GDPR). You have the rights of access, rectification, erasure, restriction, data portability, objection, and to withdraw consent, and to lodge a complaint with your supervisory authority.

California (CCPA/CPRA). You have the right to know/access, delete, and correct your personal information; to opt out of the “sale” or “sharing” of personal information and to limit the use of sensitive personal information; and to non-discrimination for exercising your rights. We do not sell or share personal information, and we do not use sensitive personal information for purposes requiring a limitation right. You may use an authorized agent to submit requests.

Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and other US state laws. Residents of states with comprehensive privacy laws have rights to access, correct, delete, and obtain a portable copy of their personal data, and to opt out of targeted advertising, sale, and certain profiling. Montana residents (Montana Consumer Data Privacy Act) and residents of other states also have these rights. If we deny a request, you may appeal by replying to our decision; we will respond to appeals within the time your law requires.

How to exercise your rights. Email privacy@noblerise.com (or use the in-app Data & Privacy console). We will verify your identity, respond within the timeframe your law requires (generally 45 days, extendable where permitted), and will not discriminate against you for exercising your rights.

9. Do Not Sell or Share / Limit Use of Sensitive Information

We do not sell your personal information and we do not share it for cross-context behavioral advertising, so no opt-out is necessary; if this ever changes, we will provide a clear “Do Not Sell or Share My Personal Information” mechanism and honor opt-out preference signals (e.g. Global Privacy Control) as required by law.

10. International data transfers

We are based in the United States and process data there. Where we transfer personal data from the EEA, UK, or Switzerland, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses (and the UK Addendum) and take steps to protect the data consistent with this policy.

11. Cookies & tracking

On the Service itself we use a single essential session cookie to keep you signed in; we do not use advertising or cross-site tracking cookies. The first-party analytics tag you install on your own site uses random first-party identifiers to measure visits and conversions and does not build cross-site profiles. You control cookies through your browser settings.

12. Children

The Service is for businesses and is not directed to children. We do not knowingly collect personal information from children under 13 (or the minimum age in your jurisdiction). If you believe a child provided us data, contact us and we will delete it.

13. Third-party links

The Service and our content may link to third-party sites and services we don't control. Their privacy practices are governed by their own policies; please review them.

14. Data breach notification

We maintain an incident-response process and, in the event of a personal-data breach, will notify affected users and regulators as required by applicable law and within the applicable deadlines.

15. Changes to this policy

We may update this policy and will post the new version here with a revised “Last updated” date; material changes will be communicated as required by law.

16. Contact us

Questions, requests, or complaints: privacy@noblerise.com, or NobleRise Digital Marketing, [business mailing address]. For EU/UK matters you may also contact your local data protection authority.

This policy describes the Service's actual technical and operational practices and is written to align with the Google API Services User Data Policy (Limited Use), CAN-SPAM, the TCPA, the CCPA/CPRA, and other US state privacy laws and the GDPR. It is provided for convenience and is not legal advice. Insert your registered legal entity name and address in the bracketed fields, and have a qualified attorney review and adapt it to your business and jurisdiction before you rely on it.