Privacy Policy

Effective Date: July 4, 2026

The Cypher Group, LLC dba. Catchword (“Company,” “we,” “us,” or “our”) values your trust and respects your privacy. This Privacy Policy describes how we collect, use, disclose, and protect your personal information when you interact with our website at https://catchwordbranding.com, our services, and our communications (collectively, the “Services”).

This Privacy Policy is designed to comply with applicable laws, including:

  • U.S. state privacy laws (such as the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (“CCPA/CPRA”), Virginia CDPA, Colorado Privacy Act, Connecticut DPA, and Utah Consumer Privacy Act), and
  • International laws including the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and the UK GDPR.

By using our Services, you agree to the practices described in this Privacy Policy.

1. Information We Collect

We collect personal information from you in several ways:

Information You Provide Directly

  • Contact form submissions: name, email address, telephone number, company information, and details about your project or inquiry.
  • Blog subscriptions: email address and first name.
  • Communications: information you provide when contacting us by email, phone, or otherwise.
  • Project-related content: creative briefs, brand descriptors, product information, or other business data you submit for AI-assisted naming or related services. Although typically business in nature, this may constitute “personal information” if tied to identifiable individuals.

Information Collected Automatically

  • Log data: IP address, browser type, operating system, referring/exit pages, and the dates/times of your visits.
  • Cookies and tracking technologies: to recognize you, improve site functionality, and deliver personalized content. (See Section 7, Cookies.)

Information From Third Parties

Service providers, analytics partners, and marketing platforms may provide us with additional data about user engagement and interactions.

We do not intentionally collect special categories of personal data under GDPR (such as health, political opinions, religious beliefs, or biometric data) unless strictly necessary and only with your explicit consent.

For a detailed list of the categories of personal information we collect, please see Appendix A.

2. Purposes and Legal Bases for Processing

Under GDPR, we must identify the lawful basis for each processing purpose. We rely on the following:

  • Performance of a Contract – to provide services you request.
  • Consent – for marketing communications, blog subscriptions, and cookies (you may withdraw consent at any time).
  • Legitimate Interests – to improve our Services, maintain security, and conduct analytics (balanced against your rights).
  • Legal Obligation – to comply with applicable laws or respond to lawful requests.
  • Protection of Vital Interests – in rare cases, to protect someone’s life or safety.
  • AI and Machine Learning – We may process business information and other data within our own AI and machine learning systems to improve and deliver our services (for example, to enhance search, automate workflows, or detect fraud). Such processing is limited to our internal systems and business purposes. We do not allow your information to be used to train external AI models operated by third parties for their own purposes. This may include processing of project-related content you submit (e.g., creative briefs, brand descriptors, or product information). While often business in nature, such content may be considered personal information if linked to identifiable individuals.

For a summary of the purposes and legal bases associated with each category of personal information, please refer to Appendix A.

3. Sharing and Disclosure of Information

We do not sell or share your personal information as those terms are defined under the California Consumer Privacy Act (as amended by the CPRA). We may disclose personal information to our service providers and contractors to help us operate our services, and these disclosures are made pursuant to contracts that restrict the use of the information to our business purposes only. We may share information in the following circumstances:

  • Service providers: with vendors who perform services on our behalf (e.g., hosting, analytics, email distribution).
  • Legal compliance: if required by law, legal process, or governmental request.
  • Business transfers: in connection with a merger, acquisition, or sale of assets.
  • With your consent: when you direct us to share your information.
  • Artificial Intelligence Processing: when we use AI or machine learning to process your information and to train our systems. In these cases the processing occurs only within systems controlled by us. We do not disclose personal or business information to external AI providers for the purpose of training their models or for any other use.

These disclosures are not considered a “sale” or “sharing” of personal information under the California Consumer Privacy Act (as amended by the CPRA).

When we transfer personal data outside the European Economic Area (EEA) or UK, we implement appropriate safeguards, such as Standard Contractual Clauses (SCCs) approved by the European Commission, or other lawful transfer mechanisms.

We treat all project submissions, including naming briefs, brand descriptors, and generated outputs, as confidential. We do not disclose this information to third parties except as required to deliver our Services (e.g., through contracted service providers acting on our behalf) or to comply with applicable law.

4. Your Rights

A. Under U.S. State Privacy Laws (CCPA/CPRA, etc.)

Depending on where you reside, you may have the following rights:

  • Right to Know/Access: You may request details about the categories and specific pieces of personal information we collect, use, disclose, and retain.
  • Right to Delete: You may request deletion of personal information we hold about you, subject to legal exceptions.
  • Right to Correct: You may request correction of inaccurate personal information.
  • Right to Opt-Out of Sale or Sharing: While we do not sell personal information, some states grant you the right to opt out of such practices.
  • Right to Limit Use of Sensitive Personal Information: Where applicable.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your rights.

B. Under GDPR/UK GDPR, you also have the right to:

  • Access: You may obtain confirmation and a copy of the personal data we process about you.
  • Rectification: You may request correction of inaccurate or incomplete data.
  • Erasure (“Right to be Forgotten”): You may request deletion of personal data when it is no longer necessary or when consent is withdrawn.
  • Restriction: You may request limitation of processing in certain circumstances.
  • Portability: You may request transfer of your personal data to another controller in a structured, commonly used format.
  • Object: You may object to processing based on legitimate interests, or to direct marketing.
  • Withdraw Consent: You may withdraw consent at any time (without affecting prior lawful processing).
  • Complain: You may lodge a complaint with your local supervisory authority (e.g., the ICO in the UK, or a Data Protection Authority in the EU).

To exercise any of these rights, please contact us at:
Email: [email protected]
Mail: 3645 Grand Avenue, Suite 206, Oakland, CA 94610

5. Data Retention

We retain personal information no longer than necessary for the purposes described in this Policy, comply with legal obligations, resolve disputes, and enforce agreements. We may retain personal information for longer if required by law. Once data is no longer needed, it will be securely deleted or anonymized. Notwithstanding the foregoing, business descriptions included in training datasets may be retained in anonymized form for ongoing model improvement. If you opt out, your project data will be used only to deliver your naming project and then deleted per our standard retention schedule.

For example:

  • Contact form information: retained indefinitely unless you request deletion.
  • Blog subscription data: retained until you unsubscribe.
  • Log and analytics data: retained according to our system retention schedules, typically not longer than 26 months.

6. Data Security

We implement reasonable administrative, technical, and physical safeguards to protect personal information from unauthorized access, use, or disclosure. However, no method of transmission or storage is completely secure, and we cannot guarantee absolute security.

7. Cookies and Tracking Technologies

We use cookies, pixels, and similar technologies to:

  • Remember user preferences.
  • Improve the performance and security of the Site.
  • Analyze how visitors interact with the Site.
  • Deliver personalized content.

You may set your browser to refuse cookies or alert you when cookies are being sent. If you disable cookies, some parts of our Site may not function properly.

We will not place non-essential cookies (e.g., analytics, advertising) on your device without your explicit consent, obtained via our cookie banner. You may withdraw or modify your consent at any time by adjusting your cookie settings.

8. Children’s Privacy

  • Under U.S. law (COPPA), we do not knowingly collect data from children under 13.
  • Under GDPR/UK GDPR, we do not knowingly collect data from children under 16 (or lower age as permitted by local law, but never below 13).

If we become aware that we have collected such data without proper consent, we will delete it immediately.

9. International Data Transfers

Your data may be transferred outside your jurisdiction (e.g., from the EEA, UK, or Switzerland to the U.S.; or from the U.S. to our secure servers elsewhere in the world). When this happens, we use approved safeguards such as:

  • Standard Contractual Clauses (SCCs),
  • UK International Data Transfer Addendum, or
  • Other lawful mechanisms.

10. Data Protection Officer / Representative

Catchword is established in the United States and is not currently required to appoint an EU/UK representative or a Data Protection Officer under the GDPR:

  • EU Representative: Not applicable.
  • UK Representative: Not applicable.
  • Data Protection Officer (DPO): We are not required to appoint a DPO under GDPR.

11. Notice at Collection and Transparency

In compliance with the California Consumer Privacy Act (CCPA/CPRA), the General Data Protection Regulation (GDPR), the UK GDPR, and similar privacy laws, we provide additional detail regarding the categories of personal information we collect, the sources of that information, the purposes for which we use it, the lawful bases (where applicable), whether it is sold or shared, and our retention practices.

This information is set out in Appendix A (Notice at Collection and GDPR Transparency Schedule), which forms an integral part of this Privacy Policy. Please review Appendix A for a full breakdown of our data collection and use practices.

12. Methods for Submitting Data Subject Requests

You may exercise your privacy rights under applicable laws (including the GDPR, UK GDPR, CCPA/CPRA, and other state privacy laws) by submitting a request through any of the following methods:

  • Online Web Form – Submit a request through our Contact page.
  • Email – Send your request to [email protected] with the subject line “Privacy Rights Request.”
  • Mail – Submit a written request to: Catchword, Privacy Office, 3645 Grand Avenue, Suite 206, Oakland, CA 94610.
  • Phone (California Residents) – You may also submit a request by calling 510-214-3350.

We will respond to your request within the timeframes required by law (generally 30 days under GDPR/UK GDPR and 45 days under CCPA/CPRA). If more time is needed, we will notify you of the extension and the reason.

We may require you to verify your identity before fulfilling your request. If you use an authorized agent, we may also require proof of authorization.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated “Effective Date.” We encourage you to review this Policy periodically.

14. Contact Us

If you have questions, concerns, or wish to exercise your rights:

Catchword
3645 Grand Avenue, Suite 206
Oakland, CA 94610
Email: [email protected]
Phone: 510-214-3350

If you are located in the European Economic Area, you may also contact your local data protection authority for concerns.

Appendix A – Notice at Collection and GDPR Transparency Schedule

This Appendix forms part of the Catchword Privacy Policy and provides additional detail required under the CCPA/CPRA, the GDPR, the UK GDPR, and similar privacy laws.

Category of Personal InformationSourcePurpose of Collection & UseLegal Basis (GDPR/UK GDPR)Sold/Shared?Retention Period
Identifiers (name, email, phone number)Directly from you (contact forms, inquiries)Respond to inquiries, provide services, maintain recordsContract (service delivery); Legitimate Interests (business operations)Not sold; may be shared with service providers (e.g., hosting, email delivery)Retained until deletion request or as required by law
Subscription Data (name, email for blog/news)Directly from you (subscription form)Send blog updates, newsletters, and announcementsConsent (you may withdraw at any time)Not sold or sharedRetained until you unsubscribe
Commercial Information (services requested/purchased)Directly from youProvide services, maintain transaction recordsContract; Legal Obligation (recordkeeping)Not sold or sharedRetained as legally required (e.g., tax, accounting)
Internet/Network Activity (IP address, device/browser type, usage data, pages visited, UTM parameters)Automatically via cookies, tracking scripts, and analytics toolsImprove site functionality, monitor security, analytics, detect fraud, measure marketing campaign performance, and analyze B2B user intent.Legitimate Interests (security, service improvement, business operations, analytics); Consent (non-essential cookies)Not sold; shared with analytics, marketing attribution, and B2B intent-tracking providers (e.g., Google, Bilinmedia, Attributer)Typically 26 months, then aggregated or anonymized
Geolocation Data (approximate, IP-based)Automatically via cookies/logsDetect fraud, analyze usage by regionLegitimate InterestsNot sold or shared12 months, then deleted or anonymized
Professional/Employment Information (company, role if included)Directly from you (contact form, inquiries)Tailor responses to business inquiriesLegitimate InterestsNot sold or sharedRetained until deletion request
Project-Related Content (creative briefs, brand descriptors, product information submitted for AI naming or related services)Directly from youTo generate names, provide branding recommendations, and improve service delivery. Also processed within our internal AI/ML systems to enhance functionalityContract (to provide requested services); Legitimate Interests (service improvement); Consent (where applicable)Not sold or shared; processed only within our controlled systemsRetained as long as necessary to deliver services, then securely deleted or anonymized
Inferences (preferences, engagement patterns)Derived from interactions (emails, cookies, analytics)Personalize communications, improve servicesLegitimate Interests; Consent (marketing analytics)Not sold; may be shared with service providersUntil you unsubscribe or request deletion
Business Information and Related Data (e.g., contact details, project details, usage data)Directly from you; automatically collected (logs/cookies); derived from interactionsUsed within our own controlled AI and machine learning systems to improve and deliver our services (e.g., enhance search, detect fraud, automate workflows). We do not permit use of this information for training external AI models.Legitimate Interests (improving services, security, fraud prevention); Contract (where necessary to provide services); Consent (where required for cookies/analytics inputs)Not sold or shared; processed only within our controlled systemsRetained as long as necessary for service improvement and security purposes, then securely deleted or anonymized