Legal
Privacy Policy
Last updated: May 25, 2026.
2. Information you provide
3. Information collected automatically
4. Cookies
5. How we use information
6. How we share information
7. Data retention
8. Security
9. Your choices and rights (general)
10. California residents (CCPA/CPRA)
11. EEA, UK, and Swiss residents (GDPR/UK GDPR)
12. International data transfers
13. Children
14. Do Not Track and Global Privacy Control
15. Changes
16. Contact
This Privacy Policy (“Policy”) describes how Underbeat (“Underbeat”, “we”, “us”) handles information collected through underbeat.com (the “Site”). The Site exists to allow prospective clients to contact us. We collect the minimum information necessary to operate the Site and respond to inquiries.
1. Who we are
Underbeat is a private consulting and design practice with offices in Brooklyn, New York, and Long Beach, California. For purposes of the European Union General Data Protection Regulation and the United Kingdom General Data Protection Regulation, Underbeat acts as the data controller for personal data submitted through the Site. You can reach us at info@underbeat.com.
2. Information you provide
When you use the contact form, you provide:
- Your email address.
- The contents of your message, including anything you choose to disclose in it.
Submission is voluntary. Please do not include sensitive personal data (for example, government identifiers, financial account numbers, or health information) in a contact-form message. If you do, you do so at your own discretion; the Site is not a substitute for a privileged or encrypted communication channel.
3. Information collected automatically
When you visit the Site, our hosting provider (Cloudflare) automatically logs limited technical information needed to deliver the Site and protect against abuse, including:
- IP address and approximate country, used for security, rate-limiting, and abuse prevention.
- Browser user-agent string.
- Pages requested and timestamps.
- Other typical request metadata such as referrer.
The Site does not use third-party analytics, advertising trackers, cross-site tracking pixels, behavioral profiling, or device-fingerprinting. We do not maintain a customer profile based on your browsing.
4. Cookies
We do not set tracking, analytics, or advertising cookies. Cloudflare may set short-lived, security-purpose cookies (such as __cf_bm or cf_clearance) to distinguish humans from automated traffic and to keep the Site available. These cookies are strictly necessary for the secure delivery of the Site and are not used for advertising.
5. How we use information
We use information for the following purposes:
- To respond to your inquiry and any follow-up communication.
- To operate, maintain, and secure the Site, including detecting abuse, debugging, and preventing spam.
- To comply with legal obligations and to enforce our Terms of Use.
We do not use personal information to train artificial-intelligence or machine-learning models.
6. How we share information
We do not sell or rent personal information, and we do not share it with third parties for cross-context behavioral advertising. We share information only as follows:
- Service providers acting as processors:
Cloudflare, Inc. hosts the Site and provides DNS, content delivery, and security services;
Google LLC (Google Workspace) hosts the
info@underbeat.commailbox where your message is delivered. Each operates under its own data-processing agreement and security commitments. - Legal and safety: If required by law, valid legal process, or to protect the rights, property, or safety of Underbeat, our clients, or the public.
- Business transfer: In connection with a merger, sale, or acquisition, subject to confidentiality obligations.
- With your direction: When you ask us to share information with a third party.
7. Data retention
We retain personal information only as long as needed for the purpose for which it was collected, or as required by law.
- Inquiry emails are retained in our inbox for the duration of the relationship and for a reasonable period afterward, typically not more than three (3) years from the last communication, after which we delete them unless we are required to keep them longer.
- Cloudflare request logs are retained by our hosting provider according to its policies, typically not more than 30 days for raw request logs.
- Mailbox backups follow Google Workspace's standard retention policies.
8. Security
The Site is served over HTTPS with HSTS. Form submissions are transmitted over TLS to the server and relayed to our inbox over TLS using SMTP authentication. Access to the inbox is protected by Google Workspace security controls, including multi-factor authentication and password rotation where applicable. We follow reasonable administrative, technical, and physical safeguards in accordance with applicable law (including the New York SHIELD Act). No system is perfectly secure, and we cannot guarantee absolute security.
9. Your choices and rights (general)
You may decline to use the contact form. If you have already contacted us and would like a copy of, correction of, or deletion of the information we hold about you, email info@underbeat.com. We will respond within a reasonable time and consistent with applicable law. We will not discriminate against you for exercising any of these rights.
10. California residents (CCPA/CPRA)
This section provides information required by the California Consumer Privacy Act, as amended by the California Privacy Rights Act (together, the “CCPA”), and applies to California residents.
10.1 Notice at collection
In the last twelve (12) months, we have collected the following categories of personal information from California consumers, for the purposes described in Section 5 (How we use information):
- Identifiers: email address (provided by you), IP address (collected automatically).
- Internet or other electronic network activity: information about your interaction with the Site, such as pages visited and timestamps.
- Inferences: none. We do not draw inferences from your personal information.
- Sensitive personal information: none requested. If you choose to include sensitive personal information in a message, please see Section 2.
The sources of this information are: directly from you (form input) and automatically from your device and browser (server logs).
10.2 No “sale” or “sharing”
We do not sell personal information and do not share personal information for cross-context behavioral advertising as those terms are defined under the CCPA. Because we do not sell or share, there is no “Do Not Sell or Share My Personal Information” opt-out link required on the Site. We have not sold or shared personal information of California consumers (including consumers under 16) in the prior twelve (12) months.
10.3 Your CCPA rights
California residents have the right to:
- Know / access: request the categories and specific pieces of personal information we have collected about you in the prior twelve (12) months, along with the categories of sources and recipients.
- Delete: request that we delete personal information we have collected from you, subject to legal exceptions.
- Correct: request that we correct inaccurate personal information we maintain about you.
- Limit use of sensitive personal information: we do not use or disclose sensitive personal information for purposes that would trigger this right, so it does not apply on this Site.
- Non-discrimination: not be discriminated against for exercising any of the above rights.
10.4 How to submit a request
Submit a verifiable consumer request by emailing info@underbeat.com with “California privacy request” in the subject. We will verify your identity using the email address on file and may ask for additional information sufficient to verify that you are the person about whom we have collected information. An authorized agent may submit a request on your behalf; we may require written proof of the agent's authority. We will respond within 45 days, with a possible 45-day extension if reasonably necessary, as permitted by the CCPA.
10.5 Shine the Light
California Civil Code section 1798.83 (the “Shine the Light” law) permits California residents to request information regarding our disclosure of personal information to third parties for their direct-marketing purposes. We do not disclose personal information to third parties for their direct-marketing purposes.
11. EEA, UK, and Swiss residents (GDPR/UK GDPR)
If you are in the European Economic Area, the United Kingdom, or Switzerland, this section applies in addition to the rest of this Policy.
11.1 Controller
Underbeat is the controller of personal data submitted through the Site. We do not have a representative or Data Protection Officer designated in the EU or UK at this time; you can reach us directly at info@underbeat.com for any data-protection matter.
11.2 Legal bases
We rely on the following legal bases under Article 6 of the GDPR/UK GDPR:
- Consent (Art. 6(1)(a)): when you voluntarily submit the contact form, you consent to our use of the information for the stated purpose. You may withdraw consent at any time by emailing us; withdrawal does not affect the lawfulness of processing already carried out.
- Legitimate interests (Art. 6(1)(f)): for operating, securing, and improving the Site, preventing fraud and abuse, and responding to inquiries directed to us. We have considered your rights and have concluded that these interests are not overridden by your interests or fundamental rights, given the limited and proportionate nature of the processing.
- Legal obligation (Art. 6(1)(c)): where applicable laws require us to retain or disclose data.
11.3 Your rights
Subject to applicable law, you have the right to: access your personal data, rectify inaccurate data, request erasure, request restriction of processing, object to processing based on legitimate interests, request data portability, and withdraw consent at any time. To exercise any of these rights, email info@underbeat.com.
11.4 Right to lodge a complaint
You have the right to lodge a complaint with your supervisory authority. In the United Kingdom, the supervisory authority is the Information Commissioner's Office (ico.org.uk). In the European Union, you may contact the supervisory authority of the Member State in which you reside or work.
11.5 Automated decision-making
We do not engage in automated decision-making or profiling that produces legal or similarly significant effects.
12. International data transfers
Underbeat is headquartered in the United States, and our service providers (Cloudflare and Google) are based in the United States. If you contact us from outside the United States, the personal information you provide will be transferred to and processed in the United States. Where required, transfers from the EEA, UK, or Switzerland are protected by appropriate safeguards under Article 46 of the GDPR/UK GDPR, including the European Commission's Standard Contractual Clauses entered into with our service providers, supplemented as needed by additional technical and organizational measures.
13. Children
The Site is not directed to children under 13 (or under 16 in jurisdictions where that is the applicable threshold), and we do not knowingly collect information from them. If you believe a child has submitted information through the Site, please contact us and we will delete it.
14. Do Not Track and Global Privacy Control
This Site does not respond to Do Not Track (DNT) browser signals because there is no widely accepted standard for how such signals should be interpreted. We do not sell or share personal information, so the Global Privacy Control (GPC) signal has no additional effect on our processing on this Site.
15. Changes
We may update this Policy from time to time. Updates are reflected in the “Last updated” date above. Material changes will be highlighted when reasonable; for example, by a banner on the Site or a notice in a follow-up email to recent inquirers.
16. Contact
Questions or requests about this Policy can be sent to info@underbeat.com, or by mail to: Underbeat, 300 Cadman Plaza West, 12th Floor, Brooklyn Heights, NY 11201, USA.