Home/Legal

Privacy Policy

Last updated: April 22, 2026

Megamize ("we," "us," "our") is a CRO/conversion-optimization consultancy operated by Aaron Ginn out of the United States. This Privacy Policy explains what personal information we collect, how we use it, who we share it with, and the rights you have. By using megamize.co, receiving outreach from us, or working with us as a client, you agree to this Policy.

1. Who we are + how to contact us

Data controller: Megamize (Aaron Ginn, sole proprietor)
Email: aaron@megamize.co
Mailing address: Available on request — email above

2. Information we collect

From visitors to megamize.co

  • Audit form submissions: name, email, company, website, role, revenue band, growth context you describe
  • Newsletter sign-ups: email address
  • Browsing data: pages visited, referrer, device type, anonymized IP, user agent (via Vercel Analytics)
  • Cookies + tracking: see our Cookie Policy

From cold outbound prospects

We collect publicly available business contact information from sources like Apollo, LinkedIn, and your company website. This includes:

  • Name, professional email address, job title, company, company domain
  • LinkedIn profile URL (if publicly listed)
  • Mobile phone number (only when verified through a B2B data provider)
  • Publicly observable signals about your role, company, or recent activity

We process this data under the legitimate interests basis (Article 6(1)(f) GDPR) for B2B prospecting purposes, balanced against your privacy interests. You may opt out at any time (see Section 7).

From clients + paid engagements

  • Business contact details, billing information, signed agreements
  • Site analytics + experimentation data you grant us access to (GA4, Optimizely, VWO, etc.)
  • Strategic context shared in working sessions

3. How we use your information

  • Deliver the Growth Pulse audit you requested via the website form
  • Cold outbound: initial email outreach, follow-up calls, and (post-engagement) SMS to relevant decision-makers at companies that fit our ICP
  • Research + personalize our outreach using AI tools (see Section 5)
  • Provide ongoing services to clients
  • Improve our website + materials using aggregate analytics
  • Comply with legal obligations (tax, accounting, regulatory requests)

4. Cookies + analytics

We use a small number of cookies and tracking technologies. Details in our Cookie Policy.

  • Vercel Analytics — anonymized page-view data, no personal identifiers
  • Clerk — authentication cookies for the password-protected dashboard at /dashboard
  • No third-party advertising or remarketing pixels

5. AI processing disclosure

We use AI services to generate research briefs + personalize outreach drafts. When we research a publicly available company website or LinkedIn profile, the page contents may be sent to:

  • Anthropic (Claude) — for analysis + draft generation (does not train on customer data per Anthropic's API terms)
  • Firecrawl — to fetch publicly accessible website content

We do not send your private data, financial information, or anything not publicly accessible to AI services without explicit consent.

6. Service providers we share data with

We use the following third-party processors. Each is contractually bound to protect your data and use it only for the services they provide to us.

ProviderPurposeRegion
VercelWeb hostingUSA
SupabaseDatabase (prospect + audit data)USA
ClerkAuthentication for /dashboardUSA
ResendTransactional email (audit form notifications)USA
SmartleadCold email sendingUSA
QuoCold calling + SMSUSA
ApolloB2B contact data (cold prospect sourcing)USA
LeadMagicEngagement-gated contact enrichmentUSA
Anthropic (Claude)AI research + content draftingUSA
FirecrawlPublic web page fetching for researchUSA

We do not sell your personal information to third parties.

7. Your rights

Depending on your jurisdiction, you may have the right to:

  • Access the data we hold about you
  • Correct inaccurate data
  • Delete your data ("right to be forgotten")
  • Object to our processing for direct marketing — including cold outreach
  • Restrict certain processing
  • Port your data to another provider
  • Withdraw consent at any time where we rely on consent

To exercise any of these rights, email aaron@megamize.cowith the subject line "Privacy Request." We respond within 30 days.

Specifically: opting out of outreach

  • Email: reply with "unsubscribe" or click the unsubscribe link in any email. We process within 24 hours.
  • SMS: reply STOP to any text. Confirmation sent automatically. See our SMS Policy.
  • Calls: tell us not to call again, and we'll add you to our internal Do Not Call list.
  • All channels: email aaron@megamize.co and we'll suppress you across email, phone, SMS, and LinkedIn.

8. California (CCPA) rights

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA), including the right to know, delete, and opt out of the "sale" of personal information. We do not sell personal information. To exercise other CCPA rights, email aaron@megamize.co.

9. EU/UK (GDPR) rights

If you are in the EU, UK, or EEA, our processing of your data falls under GDPR. Our lawful bases are:

  • Consent — for newsletter signups + cookies
  • Legitimate interests — for B2B cold outreach (balanced against your interests)
  • Contract — for delivering services to clients
  • Legal obligation — for tax + accounting

You may file a complaint with your local supervisory authority. EU-based users can find theirs at edpb.europa.eu.

10. Data retention

  • Audit form submissions: retained as long as the prospect relationship is active, or up to 24 months
  • Client data: retained for 7 years after engagement ends (US tax requirements)
  • Cold outbound prospect data: deleted on request, or after 12 months of zero engagement
  • Analytics data: aggregated, retained indefinitely; raw events purged after 90 days

11. Security

We use industry-standard encryption in transit (HTTPS) and at rest (Supabase + Vercel encryption). Authentication is gated by Clerk with multi-factor authentication available. We limit internal access to data on a need-to-know basis.

Breach notification: if your personal data is compromised, we will notify affected individuals within 72 hours of confirming the breach, as required by GDPR Article 33.

12. Children

Our services are not directed at children under 16. We do not knowingly collect personal information from minors. If you believe we have, email aaron@megamize.co and we will delete it.

13. Changes to this policy

We may update this Policy from time to time. Material changes will be flagged at the top of the page or notified via email to active subscribers. The "Last updated" date at the top reflects the most recent revision.

14. Contact

Questions, concerns, or requests: aaron@megamize.co

Other policies
Privacy PolicyTerms of ServiceCookie PolicySMS Policy
Questions? Email aaron@megamize.co