Legal
Privacy Policy
Last updated: June 19, 2026
This Privacy Policy (“Policy”) describes how Primagery AI (“Primagery,” “we,” “us,” or “our”) collects, uses, discloses, and protects personal information when you interact with:
- Our marketing website at www.primagery.com
- Our authenticated application at app.primagery.com, including the Command Center (internal operations), Client Portal, APIs, and MCP integrations
- Progressive web app (“PWA”) installations of the application (Add to Home Screen, Mac Dock, Android install prompt)
- Email, SMS, and other communications with Primagery
- Professional services, consulting, and deliverables we provide under contract
By using our Services, you acknowledge this Policy. Where we require consent under applicable law, we will obtain it separately. This Policy supplements — and does not replace — any Data Processing Addendum (“DPA”), statement of work, or client agreement that governs a paid engagement. See our Data Processing Addendum for processor obligations when we handle personal data on behalf of clients.
1. Definitions
- Personal information / personal data: information that identifies or can reasonably be linked to an individual or household.
- Client Data: information uploaded or generated by or for a client organization in the portal (documents, messages, project records, end-customer data submitted by the client).
- Controller: the entity that determines why and how personal data is processed. For marketing site visitors and our own business contacts, Primagery is typically the controller.
- Processor: the entity that processes personal data on behalf of a controller. When we operate the Client Portal for a client's project data, we act as a processor (or service provider) for that Client Data as defined in our DPA.
- Services: websites, software, portals, APIs, PWAs, and professional services described in our Terms of Service.
2. Scope — who this Policy applies to
- Visitors and prospects browsing our marketing properties
- Individuals submitting forms (systems audit, contact, waitlist, referral)
- Authorized users of the Client Portal (client employees, owners, contractors)
- Primagery staff, contractors, and partners using the Command Center
- Individuals whose data is included in Client Data (e.g., hotel guests, employees) — primarily governed by our client's privacy program; see Section 14
Our Services are designed for businesses and adults. They are not directed to children under 16 (or under 13 where COPPA applies). See Section 18.
3. Information we collect
3.1 Information you provide directly
| Category | Examples | Typical source |
|---|---|---|
| Identity & contact | Name, email, phone, job title, company name, business address | Forms, account setup, contracts, support |
| Account credentials | Email login, password (hashed), password-reset tokens | Registration, auth flows |
| Professional & project | SOW details, intake answers, vertical/industry, locale preferences | Onboarding, portal settings |
| Documents & files | Contracts, IDs, tax forms (W-9, etc.), licenses, operational SOPs, creative assets | Portal document vault, email |
| Communications | Messages, change requests, feedback, support tickets | Portal, email, integrated tools |
| Consent & acknowledgments | Typed legal name, timestamps, terms acceptance, e-sign records | Portal onboarding, document workflows |
| Payment-related (if applicable) | Billing contact, invoice references — not full payment card numbers on our servers when using Stripe-hosted checkout | Billing integrations |
3.2 Information collected automatically
- Device & browser: IP address, user agent, browser type/version, operating system, device type, language, time zone
- Usage & diagnostics: pages viewed, features used, click paths, error logs, performance timings, API request metadata
- Security & audit: login success/failure, authorization denials, rate-limit events, document access logs, administrative actions (where enabled)
- PWA & local storage: service worker cache keys, install state, session persistence — see Cookie Policy
- Referral attribution: if you arrive via a client referral link (
/r/[slug]), we store referral cookies to attribute the submission to the referring client for rewards and analytics — see Cookie Policy - Approximate location: derived from IP address (city/region level), not precise GPS unless you explicitly provide it
3.3 Information from third parties
- Business contact data from referrals, partners, or public professional sources
- Authentication claims from identity providers (if configured)
- Payment status from Stripe or similar (we do not store full card numbers)
- Email delivery and bounce metadata from email providers
3.4 Sensitive and special-category data
We do not intentionally collect sensitive personal information through marketing forms. Clients may upload documents that contain government IDs, tax identifiers, or other regulated data in the document vault. Clients are responsible for ensuring lawful basis and minimum necessary uploads. We treat such Client Data with enhanced access controls and do not use it for marketing or model training.
We do not intentionally collect biometric identifiers, precise geolocation from device sensors, health records for treatment purposes, or payment card primary account numbers on Primagery infrastructure.
4. How we use personal information
| Purpose | Examples |
|---|---|
| Provide & operate Services | Account provisioning, portal access, document storage, project workflows, deliverables |
| Security & fraud prevention | Authentication, rate limiting, audit logs, incident detection, access reviews |
| Communications | Transactional email (invites, document requests, password reset), project updates |
| Support & quality | Troubleshooting, training, bug fixes, service improvement |
| Legal & compliance | Records retention, responding to lawful requests, enforcing Terms |
| B2B marketing (limited) | Responding to inquiries, newsletters or updates where permitted and with opt-out |
| AI-assisted operations (where enabled) | Internal operator tools (e.g. Wolfie) using prompts and permitted context — not for unauthorized client data exposure |
We do not sell personal information. We do not use Client Data to train public foundation models. We do not share Client Data with third parties for their independent marketing.
5. Legal bases for processing (EEA, UK, Switzerland)
Where GDPR or equivalent law applies, we rely on:
- Contract (Art. 6(1)(b)): processing necessary to provide Services you or your organization requested
- Legitimate interests (Art. 6(1)(f)): security, fraud prevention, B2B relationship management, product improvement (balanced against your rights)
- Consent (Art. 6(1)(a)): non-essential cookies, optional marketing where required
- Legal obligation (Art. 6(1)(c)): tax, accounting, regulatory requests
For Client Data processed on behalf of clients, the client determines the legal basis and we process per their documented instructions and our DPA.
6. Automated processing and AI
Some features use automation or AI to summarize, classify, or suggest actions (e.g., geo classification, workflow suggestions, internal assistant tools). These outputs may be inaccurate or incomplete. We do not make solely automated decisions producing legal or similarly significant effects about individuals without human review unless explicitly disclosed and permitted by law.
AI subprocessors (when enabled) receive only the minimum context required for the feature. We configure commercially available data processing terms and opt-out of training where offered. See Subprocessors.
7. Cookies, PWA storage, and similar technologies
We use cookies, local storage, and service workers as described in our Cookie Policy. Installed PWAs cache static assets locally for performance; clearing site data or uninstalling removes cached content.
8. How we disclose personal information
- Service providers / subprocessors: hosting, database, email, storage, security, AI — under contracts requiring confidentiality and appropriate safeguards. See Subprocessors.
- Client organizations: if you are a portal user, your organization's administrators may access activity within their tenant.
- Professional advisors: lawyers, accountants, insurers under confidentiality
- Business transfers: merger, acquisition, or asset sale — with notice where required
- Legal & safety: to comply with law, court order, or protect rights, safety, and security
- With consent: other disclosures you authorize
9. International data transfers
Primagery is headquartered in the United States. Personal information may be processed in the United States and other countries where our subprocessors operate. Where required, we implement appropriate safeguards such as:
- EU Standard Contractual Clauses (SCCs) Module 2 (controller-to-processor) or Module 3 (processor-to-processor)
- UK International Data Transfer Addendum (IDTA) or UK SCCs
- Supplementary measures where transfer impact assessments indicate risk
Clients requiring a signed DPA with SCCs may request execution via info@primagery.com.
10. Data retention
| Data type | Typical retention |
|---|---|
| Marketing inquiry / lead forms | Up to 24 months after last contact unless longer needed for active sales cycle |
| Account & portal profile | Duration of relationship + up to 90 days for export/deletion unless legal hold |
| Client documents (vault) | Per Client Agreement; deleted or returned on termination per DPA/offboarding |
| Security audit logs | Typically 12–24 months (longer if incident investigation requires) |
| Backups | Rolling windows per infrastructure provider; deleted on cycle |
| Legal/tax records | As required by applicable law (often 7 years for financial records) |
Retention may be extended for litigation, regulatory investigation, or explicit legal hold. Anonymized or aggregated data may be retained indefinitely.
11. Security measures
We implement administrative, technical, and organizational measures including TLS encryption in transit, role-based access control, password hashing, rate limiting, content security policies, audit logging, environment separation, and documented incident response. No system is perfectly secure. Report suspected vulnerabilities to info@primagery.com.
In the event of a personal data breach likely to pose risk to individuals, we will notify affected clients and/or authorities as required by applicable law (e.g., GDPR 72-hour notification to supervisory authority where Primagery is controller).
12. Your privacy rights
Depending on your location, you may have rights to access, correct, delete, restrict, object, port, or withdraw consent regarding your personal information, and to opt out of certain processing.
12.1 How to submit a request
Email info@primagery.com with subject “Privacy Request” and: (1) your name and email, (2) the nature of the request, (3) the Service you use, (4) proof of identity we may reasonably require. We respond within 30 days (45 for some U.S. state laws) unless extension is permitted.
If your data is held as Client Data, we may direct you to the client organization (data controller) or process your request jointly per the DPA.
12.2 EEA / UK rights
You may lodge a complaint with your local supervisory authority. UK: ICO. EU: your member state authority. We encourage contacting us first so we can address concerns.
12.3 U.S. state privacy rights
Residents of California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, and other states with comprehensive privacy laws may have additional rights including:
- Know categories and specific pieces of personal information collected
- Delete personal information (subject to exceptions)
- Correct inaccurate personal information
- Opt out of “sale” or “sharing” for cross-context behavioral advertising
- Limit use of sensitive personal information (where applicable)
- Non-discrimination for exercising rights
- Appeal a denied request (CO, VA, and others)
California — Do Not Sell or Share: We do not sell personal information. We do not share personal information for cross-context behavioral advertising as defined under CPRA. No opt-out link is required for sale/sharing we do not conduct; contact us for other California rights.
Nevada: We do not sell covered information as defined under NRS 603A.
12.4 Canada (PIPEDA) and Brazil (LGPD)
Canadian and Brazilian users may have access, correction, deletion, and portability rights. Contact info@primagery.com. For LGPD, our legal basis and DPO contact are available on request.
13. Marketing communications
We may send service-related messages without marketing consent. Promotional emails include unsubscribe instructions where required by CAN-SPAM. SMS requires prior express consent where TCPA applies. Reply STOP to SMS where offered or email us to opt out.
14. Client Data and end-customer data
When a hospitality operator, agency, or other business uses our portal, they typically control personal data about their staff and customers. They are responsible for privacy notices, consent, and lawful basis for that data. Primagery processes Client Data only per contract, the DPA, and documented instructions. Clients must not upload data they lack rights to share.
15. Third-party websites and integrations
Our sites may link to third parties (e.g., LuminaForge, social profiles, payment pages). Their privacy practices govern those interactions. Integrations enabled by a client may transfer data under that client's configuration.
16. Business changes
If Primagery undergoes a merger, acquisition, or asset transfer, personal information may transfer to the successor subject to this Policy or successor notice.
17. Document vault and regulated industries
The portal may store tax, identity, and contractual documents. Unless a specific Business Associate Agreement (HIPAA) or financial-sector agreement is executed, Primagery is not a HIPAA covered entity or business associate, and Services are not certified for PCI DSS Level 1 processing on our infrastructure — use Stripe or other compliant payment flows for card data. Clients in regulated industries must assess suitability with counsel.
18. Children's privacy
Services are not directed to children under 16 (or 13 under COPPA). We do not knowingly collect personal information from children. Contact us to request deletion if you believe a child provided data.
19. Changes to this Policy
We may update this Policy periodically. Material changes will be posted with a revised “Last updated” date and, where required, additional notice (email or in-app). Continued use after the effective date constitutes acceptance where permitted.
20. Contact us
Primagery AI
Springfield, Missouri, USA
Privacy: info@primagery.com
Related documents: Terms, DPA, Subprocessors, Cookies